Parsing message using kv filter

toms130 · February 13, 2020, 5:43pm

Hi all,

I'd like to parse some part of a message with VKv filter, and keep end of the message into another field.

Message is :
[MarketplaceGroup=data][MarketplaceId=10][AccountId=1234] updating 926 items

My filter is :
filter {
kv {
source => "message"
field_split_pattern => "\]\["
trim_key => "\[\]"
trim_value => "\[\]"
}
}

Result I have is :
{
"MarketplaceGroup" => "data",
"@timestamp" => 2020-02-13T17:15:30.615Z,
"MarketplaceId" => "10",
"AccountId" => "1234] updating 926 items",
"message" => "[MarketplaceGroup=data] [MarketplaceId=10] [AccountId=1324] updating 926 items"
}

result I'd like to have is :

{
"MarketplaceGroup" => "data",
"@timestamp" => 2020-02-13T17:15:30.615Z,
"MarketplaceId" => "10",
"AccountId" => "1234",
"message" => "updating 926 items"
}

I can't find how to define all my key/values are inside braces, and rest of field is what I want to keep in message field (or store in another field, whatever)

thanks
thomas

Badger · February 13, 2020, 11:29pm

I would

mutate { copy => { "message" => "otherMessage" } }
mutate { gsub => [ "message", "[^\]]*$", "", "otherMessage", ".*\]([^\]]*)$", "\1" ] }

then kv the [message] field.

toms130 · February 14, 2020, 8:04am

Ah, regex magic, it works like a charm!
thanks badger

system · March 13, 2020, 8:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.