I am trying to figure out a way to either:
Every solution that I have found does not work so far. I've looked throughout the documentation of the filter itself and the mutate filter as well.
Sample Log:
[ REMARKS = An attempt was made to access an object. ]
What the current output is:
"remarks" => "An"
Configuration:
Please help. All is appreciated.
I would not use kv for that. How about this?...
dissect { mapping => { "message" => "[ %{[@metadata][fieldname]} = %{[@metadata][fieldvalue]} ]" } }
mutate { add_field => { "%{[@metadata][fieldname]}" => "%{[@metadata][fieldvalue]}" } }
Thank you for your reply.
I tried what you suggested and I did not do the trick. Is there a way to change the default delimiter of KV?
Yes. Either field_split or value_split (or the _pattern versions of these) depending on what you want to change
Okay, Ill give that a shot. Thank you.
Can I only do a single delimiter with kv or can I do multiple? Because I would have to capture fieldname between "[" and "=", then the field data between "=" and "]". As shown below
[ SOURCE = XXX-XX-XX ] [ REMARKS = An attempt was made to access an object. ]
Last time I appempted this, all of the fieldnames worked but the data within them was "][ ".
Thanks again.
Read the documentation. It supports both multiple characters and regexps for both field and value delimiters.
I just got it to work! Thanks for your help. @Badger
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.