Splitting message log

wizard · February 10, 2022, 7:07am

Hello,

When I am collecting logs from Syslog and transferring those logs to kibana using filebeat, I am getting a tab named by message in row format as below mention:

I want this to be in a separate field like below mention so I can create the dashboard.

_gateway date=2022-01-07
time=02:43:13
devname="AXYY"
devid="FG201ETK19901061"
logid="00000"
type="traffic"
subtype="forward"
level="notice"
vd="root"
eventtime=1648272
tz="+0800"
srcip=192.168.12.12
srcname="XY"

Is there any way to split these logs?

grumo35 · February 10, 2022, 8:35am

Hey !

You can surely use the KV filter plugin consider you dont use logstash you might want to setup an Elasticsearch ingest pipeline with filter processor like

{
  "kv": {
    "field": "message",
    "field_split": " ",
    "value_split": "="
  }
}

wizard · February 10, 2022, 10:49am

Everything is working fine except the field split, I m not able to add whitespce in field_split. Please see the below mention screenshot. Can you please look into this and confirm what possible action I can perform?

grumo35 · February 25, 2022, 3:04pm

Hey,

I think you should read the bottom of your screenshot, as it is told a space it typically enclosed in " "

system · March 25, 2022, 3:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split Log Message That harvested by filebeat Elasticsearch	2	1794	December 12, 2018
I need to split the message term field into different terms Kibana	3	5700	March 21, 2018
Kafka input kibana message one field Logstash	3	309	March 3, 2022
How to Split Message Field with Exchange LOG Information Kibana	3	1407	April 30, 2019
Splitting message field Elasticsearch	6	2889	March 13, 2020

Splitting message log

Related topics