Here is my sample data
msg=key,value key2,value1 key3,value2,value3 key4,value4
My kv filter works and I end up with the result below
"toplvl.midlvl" = {
"key" => "value",
"key2" => "value1",
"key3" => "value2,value3",
"key4" => "value4"
}
So now I want to modify the value in key3 and remove value2 and the comma because I don't care about them. I just want value3 in that field.
I think I need to use gsub here
Blockquote gsub Match a regular expression against a field value and replace all matches with a replacement string.
mutate { gsub => [ "[toplvl][midlvl][key3]", "*,", "" ] }
It's not doing anything to the field
I even tried a rename of the field and that didn't work either.
I feel like I am not calling the field correctly but not sure why.
Please let me know if there is another way or if I am doing this incorrectly.
Thanks