Use KV filter in logstash can not filter?

Use KV filter in logstash. I can get the value, but can not filter ? why ? Does the key can not be uppercase?

if [host] == "10.9.10.10"
    {
         kv
         {
           include_keys => [ "ACMAC", "ACNAME", "APMAC", "APNAME", "SSID", "RADIOID", "USER", "MAC", "IPADDRESS" ]
           default_keys => [ "hostname", "XAFDWLC01", "type", "AC" ]
           value_split => ":" 
           field_split => ";"
           trim_value => "<>\[\],"
         }

image2802×1412 308 KB

the raw message like this :

	<189>2022-05-24 11:43:43+08:00 NJ_AC_1 %%01CM/5/USER_OFFLINERESULT(s)[8242]:[WLAN_STA_INFO_OFFLINE]ACMAC:c0-f6-c2-bc-db-4b;ACNAME:NJ_AC_1;APMAC:28-68-d2-24-b5-c0;APNAME:NJ-910-AP-03;SSID:xmly-guset;RADIOID:0;USER:322c3bbea931;MAC:32-2c-3b-be-a9-31;IPADDRESS:10.11.22.65;TIME:1653363823;ZONE:UTC+0800;DAYLIGHT:false;SESSIONTIME:208;ERRCODE:216;RESULT:STA disassociation;USERGROUP:NULL;AUTHENPLACE:None;EXTENDINFO:The signal strength of the STA is -36 dbm.;CIB ID:12255;INTERFACE:Wlan-Dbss17524;ACCESS TYPE:None;RDSIP:-;Portal TYPE:-;AUTHID=2808033750;

Without showing us what you [message] field looks like there is no way we can know what the filter should look like.

It is done. ES has no mapping about this type device. [reason I don't know]. I restart es and rebulid the index of kibana, then all is ok

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.