Logstash Parsing - kv filter

Raj_Kumar · November 15, 2017, 10:07am

Hi All,

Iam trying to parse the events using kv filter ,

my kibana looks likes this

How to make just

but iam getting like 78AE89C45C: from : ebay@ebay.com

moreover iam getting duplicate fields as well, how to remove it .

my logstash config looks like this

input {
udp {
port => 5540
}
}

filter{
json{
source => "message"
}
kv {
source => "MESSAGE"
remove_field => ["MESSAGE"]
value_split => "="
field_split => ","
trim_value => "<>"
}
}

Please do help me in fixing this issue ,really need it .
Thanks,
Raj

magnusbaeck · November 15, 2017, 1:11pm

Use a grok or dissect filter to extract the key=value list into a field of its own so that what you're feeding to the kv filter is

from=<ebay@ebay.com> ...

and not

78AE89C45C: from=<ebay@ebay.com> ...

Raj_Kumar · November 20, 2017, 12:06pm

Thanks Magnus ,I will try this and check

system · December 18, 2017, 12:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.