Logstack dissect missing delimiter

snewman · April 11, 2018, 1:59pm

When using the dissect plugin for logstash, it correctly parses most of the message, except for the first field which uses the cat function. The test line that is being parsed is
2018-02-15|03:00:11.450|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST
The config file looks like
input{
beats{ port =>5044}
}

filter{
dissect{
mapping => {
"message" => "%{timestamp}|%{+timestamp}|%{level}|%{application}|%{module}|%{latitude}|%{longitude}|%{heading}|%{speed}|%{distance}|
%{pulse}|%{thread}|%{cpu}|%{freq}|%{mem}|%{text}"
}

}
date{
match => ["timestamp", "yyyy-MM-ddHH:mm:ss.SSS"]
}

mutate{
remove_field => [message]
}
}

output{
elasticsearch {
hosts => ["http://localhost:9200"]
}
}

Ignoring the date plugin, I see the parsed data for the field timestamp to be 2018-02-15|03:00:11.450
instead of 2018-02-1503:00:11.450

Badger · April 11, 2018, 2:14pm

Working as expected. See the NOTE in the documentation for append fields

The delimiter found before the field is appended with the value. If no delimiter is found before the field, a single space character is used.

snewman · April 11, 2018, 2:35pm

Thank you, missed that.

system · May 9, 2018, 2:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.