Gsub not replacing pattern on "url.original" field

blinx · December 13, 2019, 12:47am

Hi,
I am trying to modify the filebeat-7.5.0-apache-access-default my goal is to remove part of the url.original field using gsub but then when simulating I dont see any change.

So far my procedure was

Deleting the current filebeat-7.5.0-apache-access-default in ES.

Posting a modified version, the only change is I added a gsub processor in the list:

{
    "gsub": {
        "field": "url.original",
        "pattern": "\\&r(.*)",
        "replacement": ""
    }
},

The idea is to remove everything from and after "&r" e.g. /products?s=soap&r=sometoken
I simulate it after and the url.original field is unchanged, any ideas? Thank you!!

spinscale · December 13, 2019, 1:10pm

how about using the dissect processor to not deal with regexes?

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "dissect": {
          "field": "url.original",
          "pattern": "%{original_url}?%{params}"
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "url": {
          "original": "https://example.org/products?s=soap&r=sometoken"
        }
      }
    }
  ]
}

blinx · December 13, 2019, 3:47pm

I haven't thought of that! thank you!!

Topic		Replies	Views
Replace value from one field in another field using an Elasticsearch Ingest Pipeline Elasticsearch painless , ingest-pipeline	4	1824	May 25, 2022
Elasticsearch Ingest node gsub processor escape character Elasticsearch	14	6054	January 3, 2017
Processor to replace numbers in URLs with a fixed value Elasticsearch	8	75	September 2, 2024
LOGSTASH - GSUB - DOESN'T MATCH Logstash	14	1005	August 20, 2021
Elasticsearch Ingest node gsub processor replace character Elasticsearch	3	2502	February 14, 2018

Gsub not replacing pattern on "url.original" field

Related topics