Altering the content of a field

Hi ,
I have a grok filter like this
grok {
patterns_dir => "./patterns/custom-patterns"
match => {"message" => ["%{IP:remoteIp}%{SPACE}%{MAC:remoteMac}%{SPACE}%{NUMBER}%{SPACE}%{WORD}%{SPACE}%{PORT:localPort}%{SPACE}vlan-id%{SPACE}%{NUMBER:vid}"]}
add_tag => ["neighbor_node"]
}

and it works fine. the thing is the field labeled as remoteMac is : seperated ex. 00:00:5e:00:01:a3
now my question is, is there a way to remove : and save the result again in remoteMac field?

Thanks

Use a mutate filter and its gsub option to remove the colons from the field contents.

1 Like

thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.