Double quotes inside field: grok failure / unable to remove

holobolo0815 · March 31, 2020, 3:34pm

I have a message like this:

result=accept, user=username, extip=1.2.3.4, nasip=5.6.7.8, realm=user(realm)"Tue Mar 31 16:59:24 2020"4KalZzYgN, internalevent=

I am filtering like follows

kv {
  source => "msg"
  field_split => ","
}

mutate {
  gsub => [
    "realm", "\"", ""
  ]
}
grok {
  match => {
    "realm" => '\((?<realmx>.*)\)'
  }
}
if [realmx] {
  mutate {
    replace => {
      "realm" => "%{realmx}"
    }
  }
}

I have tried getting rid of the double quotes in the "realm" field. But it just won't remove them and also grok fails, probably because of the quotes.

In the end all I want to do is extract the string between parentheses.

How do I tackle this?

Thanks,
Marki

Badger · March 31, 2020, 4:02pm

There are spaces in your key names

    " nasip" => "5.6.7.8",
    " realm" => "user(realm)\"Tue Mar 31 16:59:24 2020\"4KalZzYgN",

add

trim_key => " "

to your kv filter.

system · April 28, 2020, 4:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get rid of extra double quote Logstash	3	1227	July 6, 2017
Logstash delete double quotes and parsing Logstash	1	612	January 10, 2019
Grok - extract text from in between double quotes Logstash	1	906	November 20, 2018
Fields and values Logstash	3	481	July 24, 2017
Logstash - elasticsarch and double quotes Logstash	12	2333	May 13, 2021

Double quotes inside field: grok failure / unable to remove

Related topics