Logfmt with spaces in the field name

I am using Telegraf to ship windows defender events out to loki viewer the windows event plugin in telegraf. This data is sent to loki in log format however, the field names have spaces which breaks parsing and leads to things like the having multi name values. I was wondering if there was a regex or pattern I can use and I will also submit a bug to the telegraf to see if the issue can be fixed there as well.

Message=“Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.” Data_Product Name=“Microsoft Defender Antivirus” Data_Error Code=“0x80508023” Data_Source ID=“4” Data_Additional Actions ID=“0” Data_Additional Actions String=“No additional actions required” TimeCreated=“2021-08-29T20:40:10.4206236Z” Data_Product Version=“4.18.2107.4” Data_Category Name=“Virus” Data_Detection User=“RENIER\Administrator” Data_Origin ID=“4” Data_Type Name=“Generic” Data_Pre Execution Status=“0” Data_Engine Version=“AM: 1.1.18400.5, NIS: 1.1.18400.5” Data_Threat Name=“Virus:VBS/Gascript.gen” Data_Source Name=“Downloads and attachments” Data_Process Name=“Unknown” Data_Detection ID="{BF74B0E6-71E8-4BA7-B34C-8AD42C04785A}" Data_Severity ID=“5” Data_FWLink=“Virus:VBS/Gascript.gen threat description - Microsoft Security Intelligence” Data_Path=“containerfile:_C:\Users\Administrator\Downloads\camila (1).zip; file:_C:\Users\Administrator\Downloads\camila (1).zip->VBS.Camila.vbs; webfile:_C:\Users\Administrator\Downloads\camila (1).zip|https://raw.githubusercontent.com/brandoski99/GEDZAC-E-zines-Sources-Malwares/master/camila.zip|pid:3656,ProcessStart:132747431943923497” Data_Type ID=“2” Data_Action ID=“1” Data_Action Name=“Clean” Data_Error Description=“The program could not find the malware and other potentially unwanted software on this device.” UserName=“NT AUTHORITY\SYSTEM” Data_Severity Name=“Severe” Data_Security intelligence Version=“AV: 1.347.650.0, AS: 1.347.650.0, NIS: 1.347.650.0” Data_State=“2” Data_Execution Name=“Unknown” Data_Post Clean Status=“0” Version=“0” Data_Category ID=“42” Data_Status Code=“2” Data_Execution ID=“0” Data_Remediation User=“NT AUTHORITY\SYSTEM” Data_Detection Time=“2021-08-29T20:39:56.067Z” Data_Threat ID=“2147538637” Data_Origin Name=“Internet”

github issue for telegraf windows events sent to loki with spaces in the field name · Issue #9691 · influxdata/telegraf · GitHub

They way I fixed this was be removing the spaces from the field name by using the telegraf rename processor

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.