Hi there,
I have the following input:
<134> device="SFW" date=2016-11-15 time=00:00:35 timezone="CET" device_name="SG430" device_id=S50049065BB50F7 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="PortMGMT" out_interface="" src_mac=78:ac:c0:88:a8:aa src_ip=0.0.0.0 src_country_code= dst_ip=255.255.255.255 dst_country_code= protocol="UDP" src_port=68 dst_port=67 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat"
But logstash index it as follows:
sent_pkts 0
src_country_code dst_ip=255.255.255.255
src_ip 0.0.0.0
How can I prevent logstash to index key without values. Is there a replacement string that I can run in front. If I find the following: '= ' replace it with '=""' before kv{} does it job.