Why is my logstash skipping delimiter in dissect mapping?

elasticheart · July 30, 2018, 9:26am

Hi,

I am using GA 6.3.0. I am taking input from Kafka. I have messages like;

<Jul 18, 2018 4:39:53:857 PM> <> <> <> <> <qqq.wwww.eeee.RrrrrTttttt> <qwerty>\n <INFO : khkas sdahkhahsk ldsahkhk dsfalk kjhdsfkahkh. >

I am using the dessect filter to chop it like;

filter {
  dissect {
    mapping => {
      "message" => "<%{timestamp}> <%{f1}> <%{f2}> <%{f3}> <%{f4}> <%{f5}> <%{f6}>\n <%{f7}"
    }
  }
}

But everything is perfect till f5. Then f6 become blank (it should contain qwerty in this case) and f7 will contain both f6 and f7 data. Why is this happening? How to fix this?

Thanks.

Badger · July 30, 2018, 1:19pm

It's related to the \n. Is that a newline? The following configuration parses the line correctly.

    input { generator { count => 1 message => '<Jul 18, 2018 4:39:53:857 PM> <> <> <> <> <qqq.wwww.eeee.RrrrrTttttt> <qwerty> 
 <INFO : khkas sdahkhahsk ldsahkhk dsfalk kjhdsfkahkh. >' } }
    output { stdout { codec => rubydebug } }
    filter {
        dissect { mapping => { "message" => "<%{timestamp}> <%{f1}> <%{f2}> <%{f3}> <%{f4}> <%{f5}> <%{f6}>
 <%{f7}" } }
    }

system · August 27, 2018, 1:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble with \n in dissect filter mapping Logstash	3	305	August 1, 2018
Dissect filter is not dissecting properly Logstash	2	2293	February 1, 2018
Logstack dissect missing delimiter Logstash	3	378	May 9, 2018
Dissect filter - Empty data between delimiter: unexpected behavior Logstash	1	232	April 8, 2020
Help using logstash dissect filtering Logstash	3	325	June 18, 2019

Why is my logstash skipping delimiter in dissect mapping?

Related topics