Parsing nested key/value pairs with kv

gogators · November 2, 2015, 3:54pm

I'm trying to parse a log file that is composed of key/value pairs separated by '='. The problem I have is that some of the keys need to be interpreted as nested objects. For example a log line might look like this:

11/02/2015 09:51:59 key1=val_1 key2=val_2 object1.field1=val_11 object1.field2=val_12 key3=val_3 ....

I do not know apriori all the possible keys or fields. But there is a limited set of objects. The order of appearance on a line is also unknown. The kv filter creates field names like "object1.field1". Later I want to use the elasticsearch output plug to index the log messages and I need it as an nested field within the document, e.g.

{
  "key1": "val_1",
  "object1": { 
      "field1": "val_11", 
      "field2": "val_12"
  }
  "key2": "val_2",
  "key3": "val_3"
}

How can parse these into nested objects?

treksler · June 28, 2016, 10:31pm

Did you ever figure out an efficient way to do this?
I am currently thinking of using grok to parse out the object.submessage pairs and then using kv to parse the key value pairs in the submessage and using target to send them up to the object, instead of rootlevel

gogators · August 30, 2016, 7:59pm

Basically, I'm using kv include_keys with object.fieldX values. Then I use 'rename': "Object.fieldX" => " [Object][fieldX]" to put it in an actual object. I'm lucky since I know all the object <=> field pairs that I care about. There might be others, but they are unimportant to me. I still don't know how to capture them all.

Topic		Replies	Views
KV pairs automatically parsed by logstash? Logstash	4	99	April 10, 2024
Nested key-values parsed with KV Logstash	6	452	January 2, 2021
Parsing an array of KV pairs Logstash	2	495	February 21, 2019
Parsing non-JSON key - lists-of-values pairs Logstash	1	234	April 14, 2020
KV Filtering data between square brackets Logstash	7	1824	May 1, 2018

Parsing nested key/value pairs with kv

Related topics