GROK - how to strip first five and last four characters from the field

mudricd · July 10, 2019, 8:30am

Hi,

I am trying to strip first five and last four characters from the log.

This is the log:

// "7AFA267A-E3C5-753F-DF422B36C7D07B80 - func_doTopup.cfm: 87 ms"
"7AFA267A-E3C5-753F-DF422B36C7D07B80 - func_doTopup.cfm: 7400 ms"
"7B1EDF03-A296-3F15-B5E91CBDAF9E8306 - SendWaitingSMS_auto: 171 ms"
"7B1EDF03-A296-3F15-B5E91CBDAF9E8306 - SendWaitingSMS_auto: 26 ms"
"7B1EDF03-A296-3F15-B5E91CBDAF9E8306 - SendWaitingSMS_auto: 30 ms"
"7B1EE995-CE33-D2C5-E33722B7A9B52811 - func_doTopup.cfm: 94 ms"
"7B1EE995-CE33-D2C5-E33722B7A9B52811 - func_doTopup.cfm: 7207 ms"
"7B2473D6-0182-9BAB-8D64A64421411B10 - func_setBar.cfm: 434 ms"
"7B2473D6-0182-9BAB-8D64A64421411B10 - func_setBar.cfm: 41 ms"

Here is the patter I was using:

// (?%{WORD}-%{WORD}-%{WORD}-%{WORD})\s+-\s+(?%{NOTSPACE})\s+(?<execution_time>%{INT})\s+%{WORD:unit}

The part that I am tryng to fix is (?%{NOTSPACE}). The field I got is func_doTopup.cfm: but I would like it to be doTopup.

Any help would be much appreciated!

Cheers

Badger · July 10, 2019, 2:08pm

If you want to strip the specific characters _fund and .cfm then use

    mutate { gsub => [ "someField", "^func_", "", "someField", "\.cfm$", "" ] }

If you really want to strip the first five and last four then use

    mutate { gsub => [ "someField", "^.....", "", "someField", "....$", "" ] }

mudricd · July 11, 2019, 2:35am

@Badger Thanks for the tip mate.

First way didn't work well for me but second one did the trick. This is what I did to get desired result:

mutate { gsub => [ "function", "^.....", "", "function", ".....$", "" ] }

system · August 8, 2019, 2:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.