i have log in below format , i need to replace ":" from 17:18:12 to 17-18-12 ...as this colon is also present at other places in line , how to match this
mutate { gsub => [ "message", "\d\d:\d\d:\d\d", "\d\d-\d\d-\d\d" ] does not work
Log
"This is a test:message however it was originated 17:18:12 but help:question abc "
Hello Muhammad,
Welcome to this forum! 
I have not tried it but something like this should work:
mutate { gsub => [ "message", "(\d\d):(\d\d):(\d\d)", "$1-$2-$3" ] }
The brackets in the first regex mark groups which can be referenced later by using $x.
Best regards
Wolfram
not working , it gives output
"message" => "$1-$2-$3\r",
ruby use \1 etc. to reference capture groups. It does not use the perl syntax of $1 etc. Try
mutate { gsub => [ "message", "(\d\d):(\d\d):(\d\d)", "\1-\2-\3" ] }still not working i am getting below output
"message" => "--\r"
if my input message has 17:18:12 , i need to replace it and display as 17-18-12
That means the capture groups were empty, which means the original message just consisted of "\r". Your message does not contain what you think it contains.
@Muhammad_Faisal I am sorry, I was not aware of the difference between Ruby and other Regex implementations.
thanks Badger its working.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.