Using a Windows implementation of the most current versiom of Logstash, i am importing a CSV file with log events, originally from a windows .evtx file.
I noticed there appear to be several issues with the .csv file that causes Logstash problems.
- Some events have multiline formatting
- Some fields contain a comma and orphan quotes
When i manually fix these issues in a csv editor, Logstash processes the file just fine. But how do i edit the Logstash .conf file to fix these 2 issues automatically?
For multiline issue - i have experimented with using the codec multiline in the filter section (or does it go in the input section?) Im searching each line to see if it begins properly. If not, join that line to the previous line. But it doesnt seem to work.
For replacing all quotes and commas in all fields --> i have experimented with mutate, gsub in the filter section of the conf file. Is this the best way to do it? No luck either.
Thanks in advance if you have any advice or solutions.