Splitting message log

wizard · February 10, 2022, 7:07am

Hello,

When I am collecting logs from Syslog and transferring those logs to kibana using filebeat, I am getting a tab named by message in row format as below mention:

I want this to be in a separate field like below mention so I can create the dashboard.

_gateway date=2022-01-07
time=02:43:13
devname="AXYY"
devid="FG201ETK19901061"
logid="00000"
type="traffic"
subtype="forward"
level="notice"
vd="root"
eventtime=1648272
tz="+0800"
srcip=192.168.12.12
srcname="XY"

Is there any way to split these logs?

grumo35 · February 10, 2022, 8:35am

Hey !

You can surely use the KV filter plugin consider you dont use logstash you might want to setup an Elasticsearch ingest pipeline with filter processor like

{
  "kv": {
    "field": "message",
    "field_split": " ",
    "value_split": "="
  }
}

wizard · February 10, 2022, 10:49am

Everything is working fine except the field split, I m not able to add whitespce in field_split. Please see the below mention screenshot. Can you please look into this and confirm what possible action I can perform?

grumo35 · February 25, 2022, 3:04pm

Hey,

I think you should read the bottom of your screenshot, as it is told a space it typically enclosed in " "

system · March 25, 2022, 3:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split Log Message That harvested by filebeat Elasticsearch	2	1791	December 12, 2018
Kafka input kibana message one field Logstash	3	309	March 3, 2022
Splitting message field Elasticsearch	6	2870	March 13, 2020
Logstash Filter \|\| Json Message to Split Fields Logstash	3	2117	October 14, 2019
How to split message field for IIS log.. In debugger it is splitting but when i run config file it is not splitting, so not able to use in Kibana Grpahs Logstash	2	703	February 26, 2019

Splitting message log

Related Topics