Split field into multiple fields

mavericknd · September 13, 2021, 3:34pm

Hi,

i have the following log and want the key value pairs inside message (ipAddress=1.1.1.1 realmId=some_realm) to be separate fields. I tried with grok, kv, mutate, nothing works, no change in kibana.
If somebody can help, please.
@timestamp: Sep 13, 2021 @ 14:43:38.265 @version: 1 @version.keyword: 1 facility: logstash-gelf
facility.keyword: logstash-gelf host: etcd1 host.keyword: etcd1 level: 4 LoggerName: org.keycloak.events LoggerName.keyword: org.keycloak.events message: type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=192.168.3.6, error=expired_code, restart_after_timeout=true, authSessionParentId=fab5767d-8c66-47cd-9479-3b2c6e8bbfd2, authSessionTabId=kGyxYwuAu6I message.keyword: type=LOGIN_ERROR, realmId=master, clientId=null,

AquaX · September 14, 2021, 8:22pm

The kv filter should take care of this.

filter { kv { field_split_pattern => ", " } }

mavericknd · September 17, 2021, 7:02am

Unfortunately it doesn't work. Not even with ",\s"

mavericknd · September 17, 2021, 2:14pm

i managed to make it work. I had a typo

system · October 15, 2021, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.