Logstack dissect missing delimiter

snewman · April 11, 2018, 1:59pm

When using the dissect plugin for logstash, it correctly parses most of the message, except for the first field which uses the cat function. The test line that is being parsed is
2018-02-15|03:00:11.450|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST
The config file looks like
input{
beats{ port =>5044}
}

filter{
dissect{
mapping => {
"message" => "%{timestamp}|%{+timestamp}|%{level}|%{application}|%{module}|%{latitude}|%{longitude}|%{heading}|%{speed}|%{distance}|
%{pulse}|%{thread}|%{cpu}|%{freq}|%{mem}|%{text}"
}

}
date{
match => ["timestamp", "yyyy-MM-ddHH:mm:ss.SSS"]
}

mutate{
remove_field => [message]
}
}

output{
elasticsearch {
hosts => ["http://localhost:9200"]
}
}

Ignoring the date plugin, I see the parsed data for the field timestamp to be 2018-02-15|03:00:11.450
instead of 2018-02-1503:00:11.450

Badger · April 11, 2018, 2:14pm

Working as expected. See the NOTE in the documentation for append fields

The delimiter found before the field is appended with the value. If no delimiter is found before the field, a single space character is used.

snewman · April 11, 2018, 2:35pm

Thank you, missed that.

system · May 9, 2018, 2:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why is my logstash skipping delimiter in dissect mapping? Logstash	2	313	August 27, 2018
Parsing a string delimited log with Dissect Logstash	2	413	December 14, 2018
Help using logstash dissect filtering Logstash	3	325	June 18, 2019
Logstash not parser correctly with dissect Logstash	2	273	October 13, 2019
Advise for logstash filter Logstash	10	388	May 18, 2018

Logstack dissect missing delimiter

Related topics