Gsub not replacing pattern on "url.original" field

blinx · December 13, 2019, 12:47am

Hi,
I am trying to modify the filebeat-7.5.0-apache-access-default my goal is to remove part of the url.original field using gsub but then when simulating I dont see any change.

So far my procedure was

Deleting the current filebeat-7.5.0-apache-access-default in ES.

Posting a modified version, the only change is I added a gsub processor in the list:

{
    "gsub": {
        "field": "url.original",
        "pattern": "\\&r(.*)",
        "replacement": ""
    }
},

The idea is to remove everything from and after "&r" e.g. /products?s=soap&r=sometoken
I simulate it after and the url.original field is unchanged, any ideas? Thank you!!

spinscale · December 13, 2019, 1:10pm

how about using the dissect processor to not deal with regexes?

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "dissect": {
          "field": "url.original",
          "pattern": "%{original_url}?%{params}"
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "url": {
          "original": "https://example.org/products?s=soap&r=sometoken"
        }
      }
    }
  ]
}

blinx · December 13, 2019, 3:47pm

I haven't thought of that! thank you!!

system · January 10, 2020, 3:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get rid of event.original field? Beats filebeat	7	10740	May 27, 2022
Apache2 SSL log Parsing Issue Beats filebeat	3	976	September 13, 2018
8.14.0 Migration : Unknown field 'preserve_original' Elasticsearch	3	28	September 23, 2024
Provided Grok expressions do not match field value for response code 408 Beats filebeat	4	1086	July 5, 2018
Unable to use the replace filter on filebeat.yml Beats filebeat	5	887	January 12, 2023

Gsub not replacing pattern on "url.original" field

Related topics