Why is my logstash skipping delimiter in dissect mapping?

elasticheart · July 30, 2018, 9:26am

Hi,

I am using GA 6.3.0. I am taking input from Kafka. I have messages like;

<Jul 18, 2018 4:39:53:857 PM> <> <> <> <> <qqq.wwww.eeee.RrrrrTttttt> <qwerty>\n <INFO : khkas sdahkhahsk ldsahkhk dsfalk kjhdsfkahkh. >

I am using the dessect filter to chop it like;

filter {
  dissect {
    mapping => {
      "message" => "<%{timestamp}> <%{f1}> <%{f2}> <%{f3}> <%{f4}> <%{f5}> <%{f6}>\n <%{f7}"
    }
  }
}

But everything is perfect till f5. Then f6 become blank (it should contain qwerty in this case) and f7 will contain both f6 and f7 data. Why is this happening? How to fix this?

Thanks.

Badger · July 30, 2018, 1:19pm

It's related to the \n. Is that a newline? The following configuration parses the line correctly.

    input { generator { count => 1 message => '<Jul 18, 2018 4:39:53:857 PM> <> <> <> <> <qqq.wwww.eeee.RrrrrTttttt> <qwerty> 
 <INFO : khkas sdahkhahsk ldsahkhk dsfalk kjhdsfkahkh. >' } }
    output { stdout { codec => rubydebug } }
    filter {
        dissect { mapping => { "message" => "<%{timestamp}> <%{f1}> <%{f2}> <%{f3}> <%{f4}> <%{f5}> <%{f6}>
 <%{f7}" } }
    }

system · August 27, 2018, 1:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dissect filter is not dissecting properly Logstash	2	2328	February 1, 2018
Trouble with \n in dissect filter mapping Logstash	3	328	August 1, 2018
How to set /n as delimiter in dissect filter Logstash	4	1381	February 14, 2018
How to use \n as a delimeter in dissect filter Logstash	10	1395	September 23, 2020
How to use Dissect to handle a newline Logstash	3	815	March 26, 2019

Why is my logstash skipping delimiter in dissect mapping?

Related topics