Logstash - elasticsarch and double quotes

cibernicola · April 14, 2021, 4:54pm

Hello
I'm trying to ingest logs wich have " in some of their fields as part of a string, I'm trying to scape them with \ or \ or \\ but no luck, so, is there any way to ingest double quotes from logs into elasticsearch using logstash?

Thanks.

Badger · April 14, 2021, 6:44pm

Why do you feel the need to escape them?

cibernicola · April 14, 2021, 6:46pm

Because I'm seeing errors in output when logstash is trying to "face" a field like: charCHar"charCHAr

Badger · April 14, 2021, 7:01pm

What errors are you seeing?

cibernicola · April 14, 2021, 7:06pm

For example:

field=>"message", :source=>"string,string"19\r", :exception=>#<CSV::MalformedCSVError: Illegal quoting in line 1.>}

Badger · April 14, 2021, 7:15pm

The CSV format requires that if a field is quoted (presumably because it may contain a comma) then the entire field must be quoted. That is, the first and last characters must be quotes. You cannot have additional characters such as a carriage return at the end of the field.

If the problem is just a \r at the end of the line you can remove it using mutate+gsub.

cibernicola · April 14, 2021, 7:22pm

I'll try, but the problem is, I guess, that the fuield is not quoted in the csv file, it may contain X double quote(s) or 0 in a field, like this:

fieldstringA, field"str""ingB\r
fieldstringA, fieldstringB\r
fieldstringA, fieldst"ringB\r

Badger · April 14, 2021, 8:44pm

If the fields never contain commas then another option is to replace the quotes with something else, run the csv filter, then gsub them back. I have not tested it, but something like

mutate { gsub => [ "message", '"', ":#$%^^&" ] }
csv { ... }
ruby {
    code => '
        event.to_hash.each { |k, v|
            if v.is_a? String
                event.remove(k)
                event.set(k, v.gsub(":#$%^^&", "\""))
            end
        }
    '
}

cibernicola · April 15, 2021, 7:58am

So, is not possible to ingest doublequotes? That's my problem, double quotes are part of some fields and what I need is to ingest them

Badger · April 15, 2021, 3:07pm

It is certainly possible to ingest double quotes, but if you want to use a csv filter then the message has to be a properly formatted CSV line. And "properly formatted" constrains the ways in which double quotes can appear.

cibernicola · April 15, 2021, 4:30pm

In fact the file I am trying to import is simply a list of text strings, formed by two values and separated by a constant value, without headers or too much complexity. Would it be perhaps interesting to use another import format, such as Json?

Badger · April 15, 2021, 4:49pm

You might be better off replacing the csv filter with dissect if I understood that correctly.

system · May 13, 2021, 4:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.