Logstash KV filter escape ":"

Jim_Thunder · May 12, 2022, 10:23pm

Hello, I have a message here (all message will be like this):

{"Time": "2022-05-12T04:18:46.077", "HostName": "IBMNOAH", "Cat": "JOBLOG", "Severity": "Err", "SAF": 1, "SAFD": "RACF", "Name": "TEST", "JobName": "DBS1MSTR", "JobID": "JOB03954", "Rec": " 23:18:36 ERROR ID=DSNLIRTR000300000000000::172.31.206.121 FOR THREAD WITH"}

This is my code to parse properly:

filter {
    kv {
        value_split => ":"
        remove_char_value => ","
    }
}

The one issue I have is that the value of the final field, "Rec", contains colons : which throws off the kv{} filter. How can I escape those colons so the kv filter grabs everything inside the "" for each key:value pair?

Badger · May 12, 2022, 10:54pm

As I said in the other thread, use a json filter, not a kv filter.

system · June 9, 2022, 10:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with KV Filter when value ends with escape character Logstash	5	1087	September 9, 2019
KV filter is unable to handle = within a key value Logstash	6	1278	November 14, 2017
Kv filter's behavior when square brackets in log data Logstash	2	1180	August 18, 2017
Question on kv filter Logstash	2	263	January 31, 2023
Kv filter - bracket removal in the field Logstash	3	566	April 10, 2018

Logstash KV filter escape ":"

Related topics