My data format is:
evel="2" treatment="3" cmd="\"D:\Program Files (x86)\360\360safe\modules\setup.exe\" /s /smartsilence" type="sys"
Use the kv plugin, use " " to cut, and then use "=" to parse, but the value of the cmd field contains the escape character and contains the cut character.
The hope is that:
key = cmd
value = "D:\Program Files (x86)\360\360safe\modules\setup.exe" /s /smartsilence
but, the result is :
key = cmd
value = "D:\Program
or
key = cmd
value = "D:\Program Files (x86)\360\360safe\modules\setup.exe
kv {
source => "message"
field_split => " ?"
value_split => "="
}
or
kv {
source => "message"
field_split => " ?"
value_split => "="
trim_value => "\" "
}
Can the kv plugin achieve the results I expected? How to operate?