Logstash KV plugin working

(shashwat) #1


I am trying to use logstash's KV plugin. I have following log format:
time taken for transfer for all files in seconds=23 transfer start time= 201708030959 transfer end time = 201708030959

My .conf file has following KV plugin:
filter {
kv {
value_split => "="

When I run logstash, it parses complete log file line by line excluding the one having "=". I need seconds, start time and end time to be separated as key value pairs. Please suggest.

(Archelle Pagapulan) #2

I have used kv as well, and what i did is, i used mutate gsub the key into one word
example :
Here, i remove all the spaces, so that it will become key=value
transfer start time = transfer_start_time
transfer end time = transfer_end_time

then do kv filter.

Hope this helps.

(shashwat) #3

Thanks, I will try this.

(shashwat) #4


I could parse all the data and could see that in Kibana. But for "time" key, it combines both the values in a single field. Like time = "201708030959 ,201708030959". Which seems to be correct as per default implementation.

I need both the timings as separate fields like "start time = 201708030959" and "end time=201708030959". So, that I can use them separately. You mentioned to use gsub to make new field from available one. Can you please show how exactly we can do that?


(shashwat) #5


Can you please provide an example of it to combine the field?


(system) #6

