hutcheon Absent Member.
Absent Member.

Delimiter in Value of a key-value file reader

I'm trying to update a syslog subparser to cover an additional case.  It's a key-value file reader-type parser.




However, I'm running into a problem where the VALUE of one of the pairs contains the delimiter.  This is a raw logline from a Cisco ACS threshold alarm:

Sep 25 15:00:00 tacacs-test CSCOacs_View_Alarm 0000000015 1 0 ACSVIEW_ALARM Threshold alarm  name="ACS - System Health",severity=Critical,cause="Alarm caused by ACS - System Health threshold",detail="(ACS Instance=tacacs-test1,CPU Utilization (%)=0.41,Memory Utilization (%)=5.80,Disk I/O Utilization (%)=0.26,Disk Space Used /opt (%)=5.89,Disk Space Used /localdisk: (%)=5.44,Disk Space Used / (%)=10.03) "

The existing parser regexes the first part, then sends the rest (bolded) to a key-value extraprocessor.  This setup works fine for all of the rest of the logs generated by the system.  However, with this log, the "detail" key contains the delimiter (comma), so I get this, and a bunch of other meaningless key/value pairs:

detail="(ACS Instance=hostname1

I've tested with  text.qualifier=" , but that doesn't seem to encapsulate the string (just causes the " to be ignored/removed).

This should be simple enough to do, but I'm having trouble finding any way to have the quotes taken seriously.

Labels (3)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.