Filling value into placeholder in a field

Saurabh_Singh1 · April 1, 2020, 9:17pm

Hi ,
I have a field named 'message'. This field contains data like,

  message : 'My IP is {%source_ip}.This {%source.ip} is external ip.'

I want to replace all the instance of this placeholder {%source_ip} , with a value. Can anybody
help me how to do this.

Badger · April 1, 2020, 10:57pm

Use mutate+gsub.

Saurabh_Singh1 · April 2, 2020, 4:52am

Thank you @Badger ,
I tried doing this ,
mutate {
gsub => [

      "message", "{%source.ip}", "1.1.1.1",
    ]
  }

And the source ip got replaced , but in my scenario ,the value to be replaced is not predefined ( ie 1.1.1.1). I want to replace this with value of another field that is.("source. ip").

For example:

"newfield" : "12.12.12.1"

                        mutate {
    gsub => [
      
      "message", "{%source.ip}", "<value of the newfield>",
    ]
  }

Any help how can i get this ?

Badger · April 2, 2020, 3:01pm

You may be able to use a sprintf reference. If gsub does not do the sprintf you may be able to make mutate+copy process the reference that you gsub in.

Saurabh_Singh1 · April 8, 2020, 7:51pm

Thanks a ton @badger it worked.

system · May 6, 2020, 7:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.