I'm using the QS grok pattern. It includes the encapsulating quotes in the values.
For example, I'm using it to get the referrer in a custom apache log.
How can I remove the quotes before shipping over to elasticsearch?
"agent" => ""Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.4) Gecko/20100614 Ubuntu/10.04 (lucid) Firefox/3.6.4"",
yup that is the problem using %{QA:agent} annoying isn't it
I use "%{DATA:agent}"
though you could always use mutate with gsub to search and replace quotes
the only other option for you is to rewrite the QS defination not to capture the "'s but never found a good answer on that
The mutate filter's gsub option can be used to remove the quotes.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.