Gsub not replacing pattern on "url.original" field

blinx · December 13, 2019, 12:47am

Hi,
I am trying to modify the filebeat-7.5.0-apache-access-default my goal is to remove part of the url.original field using gsub but then when simulating I dont see any change.

So far my procedure was

Deleting the current filebeat-7.5.0-apache-access-default in ES.

Posting a modified version, the only change is I added a gsub processor in the list:

{
    "gsub": {
        "field": "url.original",
        "pattern": "\\&r(.*)",
        "replacement": ""
    }
},

The idea is to remove everything from and after "&r" e.g. /products?s=soap&r=sometoken
I simulate it after and the url.original field is unchanged, any ideas? Thank you!!

spinscale · December 13, 2019, 1:10pm

how about using the dissect processor to not deal with regexes?

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "dissect": {
          "field": "url.original",
          "pattern": "%{original_url}?%{params}"
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "url": {
          "original": "https://example.org/products?s=soap&r=sometoken"
        }
      }
    }
  ]
}

blinx · December 13, 2019, 3:47pm

I haven't thought of that! thank you!!

system · January 10, 2020, 3:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.