Extract value from regex with parentheses in if condition

I have next input in logstash

 {
logstash         |     "sourceRecordPosition" => 11,
logstash         |          "rejectionReason" => "",
logstash         |                      "key" => 2251799813685255,
logstash         |            "brokerVersion" => "0.26.0",
logstash         |                    "value" => {
logstash         |         "workflowInstanceKey" => 2251799813685254,
logstash         |                    "scopeKey" => 2251799813685254,
logstash         |                       "value" => "\"fire\"",
logstash         |                        "name" => "emergencyReason",
logstash         |                 "workflowKey" => 2251799813685249
logstash         |     },
logstash         |                "valueType" => "VARIABLE",
logstash         |            "rejectionType" => "NULL_VAL",
logstash         |                 "position" => 12,
logstash         |              "partitionId" => 1,
logstash         |               "recordType" => "EVENT",
logstash         |                 "@version" => "1",
logstash         |               "@timestamp" => 2021-03-24T09:50:13.570Z,
logstash         |                   "intent" => "CREATED"
logstash         | }

And I wrote grok filter with regex ( regex101: build, test, and debug regex ) for extract value by group,

 filter { 
        json { 
           source => "message"
        }

        if [value][value] =~ /^"\\"(\S+)\\""/ {
            mutate { 
                 gsub => [ "[value][value]", '^"\\"(\S+)\\""', "\1" ]
           }
       }
} 

But this not work for me. How can I extract value?

What does that mean?

I mean I want to extract word fire from parentheses, like this "\"fire\"" -> fire and put this word in [value][value] field

"value" => "\"fire\"",

The actual value of the [value][value] field is "fire". The additional quotes and backslashes are just presentation by rubydebug, so all you need to do is remove the double quotes.

mutate { gsub => [ "[value][value]", '"', "" ] }

Unfortunately, exactly this word with backslashes going to elastic index

Here is a some data from index

"hits": {
        "total": 198697,
        "max_score": 1.0,
        "hits": [
            {
                "_index": "zeebe_variable_0.26.0_2021-03-18",
                "_type": "_doc",
                "_id": "1-6780",
                "_score": 1.0,
                "_routing": "1",
                "_source": {
                    "partitionId": 1,
                    "value": {
                        "name": "emergencyReason",
                        "value": "\"fire\"",
                        "workflowKey": 2251799813685249,
                        "workflowInstanceKey": 2251799813685254,
                        "scopeKey": 2251799813685254
                    }
            }

Again, that is presentation. Have you tried the mutate+gsub?

Nope, first, I need to write regexp to detect this value (because in this field may put valid json) so, if the actual value is "fire", I need to write something like this?

 if [value][value] =~ /^"\\"/ {
     mutate { 
          gsub => [ "[value][value]", '"', "" ] 
     }
 }

I would be very surprised if that worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.