Skip to content

KV Ingest Processor splitting on whitespace in message #31786

New issue
New issue
Open
Open
KV Ingest Processor splitting on whitespace in message#31786
Assignees
jakelandis
Labels
:Data Management/Ingest NodeExecution or management of Ingest Pipelines including GeoIP>enhancementTeam:Data ManagementMeta label for data/management team
@Evesy

Description

@Evesy
Evesy
opened on Jul 4, 2018

I'm trying to parse some logs in the logfmt format using the KV processor, example log line below:

time="2018-07-04T09:36:25Z" level=info msg="Schedule is not due, skipping" logSource="pkg/controller/schedule_controller.go:325" nextRunTime="2018-07-05 01:00:00 +0000 UTC" schedule=daily

The processor being used is:

"kv": {
  "field": "message",
  "field_split": " ",
  "value_split": "="
}

Due to the whitespaces in the msg key the logs are being incorrectly split midway through the message, resulting in the msg field being "Schedule

There's a similar issue open for the Logstash equivalent plugin here: logstash-plugins/logstash-filter-kv#9

It's my understanding that quoted values as above should be treated and parsed as a single value, and the quotes should then be stripped from the resulting field value.

If this isn't the case it would be good to expose these options, as it makes the kv processor a lot less versatile without.

Cheers,
Mike

Metadata

Metadata

Assignees

Labels

:Data Management/Ingest NodeExecution or management of Ingest Pipelines including GeoIP>enhancementTeam:Data ManagementMeta label for data/management team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions