Hi,
I'm trying to extract part of a field using RegEx and create a new field with the extracted text.
i.e string = alert message|User: johnc |Host: test |Event type: test
capture = johnc
RegEx example : User: ([^|{1}]+)\s Result: johnc
I know the regex I need, but not which method I should be using.
Ultimately I want to add a new field with johnc
I've tried gsub and various mutate methods, but no luck.
This method just removes the part I need:
mutate {
gsub => ["user2", "User: ([^|{1}]+)\s", "" ]
Any help would be much appreciated.
extract from conf file:
input {
jdbc {
jdbc_connection_string => "jdbc:postgresql://xxx/xxx?user=xxx"
jdbc_user => "xxx"
jdbc_driver_library => "/usr/local/lib/pgsqljdbc/postgresql.jar"
jdbc_driver_class => "org.postgresql.Driver"
statement => "
SELECT
Alerts.alertid AS alertid,
Alerts.timereceived AS timereceived,
Alerts.message AS message,
Alerts.eventtime AS eventtime
FROM
Alerts
WHERE Alerts.eventtime > '2017-01-07'
AND Alerts.alertid > :sql_last_value
ORDER BY alertid;
"
type => "main-alerts"
last_run_metadata_path => "/etc/logstash/last_run/alerts"
schedule => "*/1 * * * *"
tracking_column => "alertid"
tracking_column_type => "numeric"
use_column_value => true
}
}
filter {
if [type] == "main-alerts" {
mutate {
convert => { "eventtime" => "string" }
}
date {
match => [ "eventtime", "ISO8601" ]
remove_field => [ "eventtime" ]
}
}
}