search

logstash-plugins / logstash-filter-dissect

Extract structured fields from an unstructured line
Apache License 2.0
13 stars 22 forks source link

Dissect behavior #8

Closed duylong closed 7 years ago

duylong commented 7 years ago

My test:

filter {
  dissect {
    mapping => {
       "tag" => "%{program}[%{pid}]:"
     }
  }
}
tag = "dhcpd:"
result:

program = ""
pid = "dhcpd:"

Why is there no failure? No the _dissectfailure tag...

duylong commented 7 years ago

Hmm, my tag field is complex to analyze because we can have many choices : 

tag = "dhcpd:"
tag = "dhcpd[12345]:"
tag = "dhcpd[]:"
tag = "dhcpd[]"

I'll stay with grok for this case.

guyboertje commented 7 years ago

future readers: The behaviour is this... 1) starting at char 0 advance through the characters trying to find the first delimiter [ 2) no delimiter is found from start:0 to end:5 3) put the 'rest' into the last field pid, in the above example the 'rest' is all characters 0 to 5.

@duylong The docs strongly suggest that you use a if clause before a dissect filter to ensure that the text is in the correct layout for the dissection.

In your case grok would perform just fine. Be sure to anchor your grok pattern see https://www.elastic.co/blog/do-you-grok-grok