My source CSV contains "," delimiters but has field data which contain this delimiter within double quotes.
I originally started the approach to remove the single "," within the double quoted strings since the csv{} filter identified the input has being malformed, but I noticed that I have some other fields containing double quotes with commas which are needed.
I decided to use mutate+gsub to identify all "," delimiters in the source data and replace them with a special character - except to leave the single quote alone in the double quote strings. By doing this, I'm hoping the CSV{} filter can then properly parse the data.
The problem I am having now is my regex expression contains double quote characters and the gsub function is complaining....
[ERROR] 2019-05-17 09:36:07.124 [Converge PipelineAction::Create] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash
::ConfigurationError", :message=>"Expected one of #, {, ,, ] at line 10, column 32 (byte 168) after filter {\n mutate {\n gsub => ["message", "/(?!\B"", :backtrace=>["/usr/share/l
ogstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in
compile_graph'", "/usr/share/logstash/logsta
sh-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2577:in
map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_so urces'", "org/logstash/execution/AbstractPipelineExt.java:151:in
initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/li b/logstash/java_pipeline.rb:23:in
initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstas h/agent.rb:325:in
block in converge_state'"]}
Here is my filter code.... can someone tell me the proper syntax to allow this regex code to be properly recognized by the function?
filter {
mutate {
gsub => ["message", "/(?!\B"[^"]),(?![^"]"\B)/g", ""]
}
csv {
separator => ""
skip_empty_columns => "true"
skip_empty_rows => "true"
columns => ["Asset Alternate IPv4 Addresses","Asset Alternate IPv6 Addresses","Asset Criticality","Asset ID","Asset IP Address","Asset Location","Asset MAC Addresses","Asset Names",$
}
Thank you!!!