i have log in below format , i need to replace ":" from 17:18:12 to 17-18-12 ...as this colon is also present at other places in line , how to match this
mutate { gsub => [ "message", "\d\d:\d\d:\d\d", "\d\d-\d\d-\d\d" ] does not work
Log
"This is a test:message however it was originated 17:18:12 but help:question abc "
Hello Muhammad,
Welcome to this forum! 
I have not tried it but something like this should work:
mutate { gsub => [ "message", "(\d\d):(\d\d):(\d\d)", "$1-$2-$3" ] }
The brackets in the first regex mark groups which can be referenced later by using $x.
Best regards
Wolfram
not working , it gives output
"message" => "$1-$2-$3\r",
ruby use \1 etc. to reference capture groups. It does not use the perl syntax of $1 etc. Try
mutate { gsub => [ "message", "(\d\d):(\d\d):(\d\d)", "\1-\2-\3" ] }still not working i am getting below output
"message" => "--\r"
if my input message has 17:18:12 , i need to replace it and display as 17-18-12
That means the capture groups were empty, which means the original message just consisted of "\r". Your message does not contain what you think it contains.
@Muhammad_Faisal I am sorry, I was not aware of the difference between Ruby and other Regex implementations.
thanks Badger its working.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.