Hello guys,
I had specific log like that:
Fri Mar 18 14:06:17 2016 DISCONNECT C2075/2319 host 192.168.44.1/32949 (192.168.44.1)
Fri Mar 18 14:06:17 2016 DISCONNECT C610/3117 host 192.168.44.1/24080 (192.168.44.1)
Fri Mar 18 14:06:17 2016 CONNECT FROM C3118/- host 192.168.44.1/51345
Fri Mar 18 14:06:17 2016 CONNECT TO S3118/611 host 194.39.131.34/sapdp99 (194.39.131.34)
I would delete the word "host", Did you think it's possible in the filter ?
filter {
if [message] =~ "host" {
drop { }
}
}
Or if you are on linux just run the command "sed '/host/d' filename"
Yes , but drop delete host and everything after, I would delete only "host"
Use the mutate filter and its gsub option to replace "host" with an empty string.
Okay, I will try it 
I test with that, and it doesn't work , did I do a mistake ?
filter {
if "disconnect" in [tags] {
mutate {
gsub => [
"test", " host ", "."
]
}
PS: My tag works
Please show us an example event where it didn't work. Use a stdout { codec => rubydebug } output or copy/paste from the JSON tab in Kibana.
I test with logstash -f , I can only show you a screenshot 
I want to delete the word "host" because i want take the session (C2362/2980) and the IP with the port.
I can take the IP/port and the session , but not together because there is the word host who block the match
filter {
if "disconnect" in [tags] {
mutate {
gsub => [
"message", " host ", "."
]
}
}
I think you use gsub on the wrong field
Nice , thank you it works
I test with logstash -f , I can only show you a screenshot
I'm quite sure that your terminal window allows you to select text and copy it so that you can paste it into a tab in your web browser.
Ah , yes but i think you want only a json file 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.