H all,
when using this configuration:
input {
syslog {
port => 1337
host => "0.0.0.0"
codec => line {
delimiter => "\n"
}
}
}
with kv filter it fails with the tag "_grokparsefailure_sysloginput" although the default delimiter is "\n", I am trying to change the delimiter to "\r\n" but I can't even work with "\n" as a delimiter, it looks like it is trying to split lines by "\n" and also "\n", but when staying on default it is not spliting lines as "\n".
Error:
{
"facility" => 0,
"facility_label" => "kernel",
"@timestamp" => 2020-04-20T09:19:49.637Z,
"severity" => 0,
"severity_label" => "Emergency",
"priority" => 0,
"message" => "Accept-Encoding: gzip, deflate",
"tags" => [
[0] "_grokparsefailure_sysloginput"
],
"host" => "1.3.3.7",
"@version" => "1"
}
Is there any other way to trim \r from the message (it causing me use a workaround on the kv filter) ?
Thanks.