The Kv plugin, field_split uses spaces to cut, but the value contains spaces. Value cutting is incomplete

sun_changlong · August 31, 2018, 8:57am

My data format is:
evel="2" treatment="3" cmd="\"D:\Program Files (x86)\360\360safe\modules\setup.exe\" /s /smartsilence" type="sys"

Use the kv plugin, use " " to cut, and then use "=" to parse, but the value of the cmd field contains the escape character and contains the cut character.

The hope is that:

key = cmd
value = "D:\Program Files (x86)\360\360safe\modules\setup.exe" /s /smartsilence

but, the result is :

key = cmd
value = "D:\Program

or

key = cmd
value = "D:\Program Files (x86)\360\360safe\modules\setup.exe

kv {
       source => "message"
       field_split => " ?"
       value_split => "="
 }

or

kv {
       source => "message"
       field_split => " ?"
       value_split => "="
       trim_value => "\" "
 }

Can the kv plugin achieve the results I expected? How to operate?

system · September 28, 2018, 8:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.