Using KV filter

soodlikesjava · July 24, 2016, 1:21am

Hi team I have a requirement to create fields by matching key>value in the event . but KV filter should consider only those KV filters which are enclosed under brackets like
message : logging data (key1>value1,key2>value2) and rest key3>value3

now if i use kv filter to create search fields key1 and key2 . Kv filter field_split should consider only key1 and key2 and it should not consider key3 .

when i am using below config , it is considering key3 also :

kv {
source => "logmessage"
allow_duplicate_values => false
field_split => "(^\s,?\s$)"
value_split => ">?"
}

Actual output :
key1 => value1
key2 => value2
key3 => value3

Expected output should be :

key1 => value1
key2 => value2

Please suggest...

jpcarey · July 24, 2016, 2:02am

Use a grok to pull out the content between parenthesis / brackets. Then, you can run the kv filter directly on that new field (use @metdata or just drop the field on a successful kv execution.

soodlikesjava · July 24, 2016, 2:04am

Can you please explain what @metdata field does , if i dont use mutate to remove field

jpcarey · July 24, 2016, 2:11am

Check out this blog. @metdata is a special field/object that is normally not output. This allows for creating ephemeral fields that can be used for logic and routing. If you are printing to stdout, you need to enable @metadata output (the blog covers this).