Logstash KV parsing : k=field, v=value

Elastic Stack Logstash
1

Hi,
I am trying to use Logstash KV filter and I am having some difficulties. After some Logstash processing I get the following field "new_parsed":
"new_parsed" => "{n=Tuner_TotalHolePackets, v=0},{n=Tuner_TotalPacketsExpired, v=0},{n=Tuner_TotalPacketsReceived, v=845775},{n=Tuner_HoleTooLarge, v=0}

I would like to parse the "new_parsed" field to get each value for each field name:
"Tuner_TotalHolePackets" => "0",
"Tuner_TotalPacketsExpired" => "0",
"Tuner_TotalPacketsReceived" => "845775",
"Tuner_HoleTooLarge" => "0",

Does anyone know would to do this?
Thank you for your attention

2

I suspect the kv filter can't do this, but it would be trivial with a ruby filter.

1 Like
3

One such ruby filter would be

  ruby {
    code => '
      s = event.get("tuner_new")
      s.scan( /\{n=([^,]+), v=([^}]+)\}/ ) { |n, v| event.set(n , v) }
    '
  }

Error checking is left as an exercise for the reader.

1 Like
4

Thank you very much @Badger it worked perfectly fine!
Regards, João

5

this as a json file replica => as :

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.