Seems that 5.2 broke the CSV output plugin. This generates a "csv" with all the message fields all the time NOT separated by comma's but spaces even though "blah" does not exist as a field. This works correctly 2.3 and broken horribly broken in 5.2.
To recreate pass in a file with this in it:
00:00:00.0 COMM_TURNED_ON YODA
Use this grok pattern:
EVENT_COMM_TURNED_ON %{TIME:event_time}%{SPACE}%{NOTSPACE:event_type}%{SPACE}%{NOTSPACE:name}
input { stdin { } }
filter {
grok {
patterns_dir =>["C:/src/elk/broken"]
match =>["message", "%{EVENT_COMM_TURNED_ON}"]
}
}
output {
if "_grokparsefailure" not in [tags] {
elasticsearch {
index => "raw-data-%{+YYYY.MM.dd}"
}
if "COMM_TURNED_ON" in [message] {
csv {
fields => ["blah"]
csv_options => {"col_sep" => "," "row_sep" => "\r\n"}
path => "C:/src/elk/comm_turned_on.csv"
}
}
}
}