Logstash field with a null fvalue

Question

I'm using logstash to parse a value like:

|SERVLETSESSIONS=|

My bit to capture it is:

\|SERVLETSESSIONS=(?<servlet_sessions>[0-9]*)\|

I do not get an error, and all my other fields match, but I think I should get an empty value like "servlet_sessions" => "" in my stdout { codec => rubydebug } } but I do not have the servlet_sessions key there.

Any ideas?

PhaedrusTheGreek · Accepted Answer · 2015-09-09T14:35:26.647

1

I think you are looking for the keep_empty_captures parameter of the Grok filter configuration.

input {  stdin { }  }

filter {
  grok {
    keep_empty_captures => true
    match => { "message" => "\|SERVLETSESSIONS=(?<servlet_sessions>[0-9]*)\|" }
  }
}

output { stdout { codec => rubydebug } }

The above configuration results in the following output:

{
          "message" => "|SERVLETSESSIONS=|",
         "@version" => "1",
       "@timestamp" => "2015-09-09T13:44:52.754Z",
             "host" => "localhost",
 "servlet_sessions" => ""
}

edited Sep 09 '15 at 14:35

answered Sep 09 '15 at 13:47

PhaedrusTheGreek

554
1
7
8

agreed :) verbosity++ – PhaedrusTheGreek Sep 09 '15 at 14:37

Logstash field with a null fvalue

1 Answers1