Grok QS includes quotes, how can I remove them?

mikemi · April 12, 2017, 4:12pm

I'm using the QS grok pattern. It includes the encapsulating quotes in the values.

For example, I'm using it to get the referrer in a custom apache log.

How can I remove the quotes before shipping over to elasticsearch?

"agent" => ""Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.4) Gecko/20100614 Ubuntu/10.04 (lucid) Firefox/3.6.4"",

eperry · April 13, 2017, 12:16am

yup that is the problem using %{QA:agent} annoying isn't it

I use "%{DATA:agent}"

though you could always use mutate with gsub to search and replace quotes

the only other option for you is to rewrite the QS defination not to capture the "'s but never found a good answer on that

magnusbaeck · April 13, 2017, 7:04am

The mutate filter's gsub option can be used to remove the quotes.

system · May 11, 2017, 7:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to remove quotation marks Logstash	2	5414	April 13, 2017
Logstash delete double quotes and parsing Logstash	1	612	January 10, 2019
How to get rid of extra double quote Logstash	3	1227	July 6, 2017
Double quotes inside field: grok failure / unable to remove Logstash	2	330	April 28, 2020
Remove double quotes from grok output Logstash	9	2863	January 20, 2020