Using KV filter

soodlikesjava · July 24, 2016, 1:21am

Hi team I have a requirement to create fields by matching key>value in the event . but KV filter should consider only those KV filters which are enclosed under brackets like
message : logging data (key1>value1,key2>value2) and rest key3>value3

now if i use kv filter to create search fields key1 and key2 . Kv filter field_split should consider only key1 and key2 and it should not consider key3 .

when i am using below config , it is considering key3 also :

kv {
source => "logmessage"
allow_duplicate_values => false
field_split => "(^\s,?\s$)"
value_split => ">?"
}

Actual output :
key1 => value1
key2 => value2
key3 => value3

Expected output should be :

key1 => value1
key2 => value2

Please suggest...

jpcarey · July 24, 2016, 2:02am

Use a grok to pull out the content between parenthesis / brackets. Then, you can run the kv filter directly on that new field (use @metdata or just drop the field on a successful kv execution.

soodlikesjava · July 24, 2016, 2:04am

Can you please explain what @metdata field does , if i dont use mutate to remove field

jpcarey · July 24, 2016, 2:11am

Check out this blog. @metdata is a special field/object that is normally not output. This allows for creating ephemeral fields that can be used for logic and routing. If you are printing to stdout, you need to enable @metadata output (the blog covers this).

Topic		Replies	Views
Logstash KV filter time field Logstash elastic-stack-monitoring , elastic-stack-security	6	491	August 17, 2021
Create KV-pairs for field not in key:value format and use ruby filter on KV pairs Logstash	4	463	August 6, 2021
Kv filter's behavior when square brackets in log data Logstash	2	1180	August 18, 2017
Fields splitting from kv filter not containing blank values Logstash	3	383	January 9, 2020
Logstash using KV filter creating a field with an array rather than individual fields and individual values Logstash	3	677	December 22, 2021

Using KV filter

Related topics