Trouble with \n in dissect filter mapping

elasticheart · July 3, 2018, 10:27am

Hi,

I am using ELK GA 6.3.0. I use Logstash to read messages from Kafka as JSON. I have a message like;

<Mar 23, 2018 7:40:04:108 AM> <test_entry_1>\n <SEVERE: logline1\nlogline2\n>

I am using the dissect filter like;

dissect {
	mapping => {
		"message" => "<%{timestamp}> <%{entry1}>%{entry2}"
	}
}

This works fine. But it will make entry2 like \n <SEVERE: logline1\nlogline2\n>. I would like to remove \n and < > from entry2, so that I changed the filter like;

dissect {
	mapping => {
		"message" => "<%{timestamp}> <%{entry1}>\n <%{entry2}\n>"
	}
}

But now, the result is incorrect, means, there will be < and > in entry1 and the message is not getting dissected properly. Why is this happening and how to fix this?

Thanks.

Badger · July 3, 2018, 6:26pm

I do not understand dissect well enough to say why it happens, but you could move forward using

    mutate { gsub => [ "entry2", "[><]", "", "entry2", "
", " "  ] }

elasticheart · July 4, 2018, 5:03am

Cool, but that looks like my CPU usage will increase because of an additional filter

system · August 1, 2018, 5:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why is my logstash skipping delimiter in dissect mapping? Logstash	2	341	August 27, 2018
How to set /n as delimiter in dissect filter Logstash	4	1381	February 14, 2018
Dissect filter is not dissecting properly Logstash	2	2328	February 1, 2018
How to use \n as a delimeter in dissect filter Logstash	10	1395	September 23, 2020
Error with dissect filter [SOLVED] Logstash	9	4279	July 9, 2018

Trouble with \n in dissect filter mapping

Related topics