KV with new lines

rabbit · April 20, 2017, 6:51am

I have the following log :

2017-04-03 07:53:49,576 DEBUG [TESTING_DETAILS] -
###ERROR DETAILS ###

TestingError
CD Number: 12525
ID Testing: 20 NK 6969N5L
Message  :Testing Failed TZE [L00141D]
URL Path: /TestingURL

How can I use the kv plugin to get the fields (cd number, id testing, Message and Url path) ?

I tried the following grok :

    grok
       {
            match => {"message"=> "%{TIMESTAMP_ISO8601:Data} %{DATA:ErrorBasicMessage}\n%{DATA:ErrorInfoSection}\n%{NOTSPACE:ErrorName}\n%{DATA:ErrorInfo}"}
       }
     mutate {
               gsub => ["Data", " ", "T"]
            }
    kv {
            source => "ErrorInfo"
            value_split => ":"
            field_split => "\n"
           }

jsvd · April 28, 2017, 3:22pm

depending on which input+codec you use, the filters won't receive that block of text as a whole, but line by line (1 event per line).
if you remove the filters and use only the output { stdout { codec => rubydebug } } with your input, can you see that 1 event contains the multi line string?

If not then you must use the multiline codec in the input, to generate a single event from all those lines, and then grok should work

system · May 26, 2017, 3:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.