Logstash KV filter escape ":"

Jim_Thunder · May 12, 2022, 10:23pm

Hello, I have a message here (all message will be like this):

{"Time": "2022-05-12T04:18:46.077", "HostName": "IBMNOAH", "Cat": "JOBLOG", "Severity": "Err", "SAF": 1, "SAFD": "RACF", "Name": "TEST", "JobName": "DBS1MSTR", "JobID": "JOB03954", "Rec": " 23:18:36 ERROR ID=DSNLIRTR000300000000000::172.31.206.121 FOR THREAD WITH"}

This is my code to parse properly:

filter {
    kv {
        value_split => ":"
        remove_char_value => ","
    }
}

The one issue I have is that the value of the final field, "Rec", contains colons : which throws off the kv{} filter. How can I escape those colons so the kv filter grabs everything inside the "" for each key:value pair?

Badger · May 12, 2022, 10:54pm

As I said in the other thread, use a json filter, not a kv filter.

system · June 9, 2022, 10:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with KV Filter when value ends with escape character Logstash	5	1085	September 9, 2019
KV filter is unable to handle = within a key value Logstash	6	1276	November 14, 2017
Kv filter's behavior when square brackets in log data Logstash	2	1178	August 18, 2017
Question on kv filter Logstash	2	263	January 31, 2023
Logstash KV filter time field Logstash elastic-stack-monitoring , elastic-stack-security	6	491	August 17, 2021

Logstash KV filter escape ":"

Related Topics