Hi,
I am trying to use mutate split on '\t' (tab) but it only splits once as shown below. I even tried to convert it to string using mutate -convert field to string. Is it the double quotes? I even tried to escape the backslash '\t'
mutate {
convert => { "trapVariables" => "string" }
}
mutate {
split => { "trapVariables" => "\t" }
}
The output looks like this:
"trapVariables" => [
[0] "DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3299021) 9:09:50.21\tSNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown\tIF-MIB::ifIndex.528 = INTEGER: 528\tIF-MIB::ifAdminStatus.528 = INTEGER: down(2)\tIF-MIB::ifOperStatus.528 = INTEGER: down(2)\tIF-MIB::ifName.528 = STRING: ge-0/0/9"
],
Appreciate help on this, please.
I believe split would help to get different sections of the varbinds. I also tried kv but there seems to be an issue with it that trim key is unknown and log stash fails to start.