Hi,
I'm trying to write up a gsub to remove everything before a slash. My input will come in the format of something similar to:
LP-45XP\joe.bloggs
3G49-2AP\john.doe
random_PC-domain_name\random_firstname.random_lastname
All I'm looking for is the firstname.lastname from the field.
Currently, after trying all sorts of iterations, I have:
gsub => [ "UserName", "[*\\]", "" ]
Still doesn't fix my problem.
Could I get a pointer on the structure of the gsub I need and the method behind it?
Thanks.
can you give the entire filter ?
also your regex isn't correct, try this "(.*\\)" instead of "[*\\]"
Thanks for the reply. I'd already tried that particular syntax but still no luck. The full filter is shown below. I'm essentially pulling in a txt file as a key/value pair, mutating some of it and pushing it to Elastic. The UserName field contains either the PC name and the username separated by a \ or the domain name and username in the same format.
filter {
if [type] == "log" {
kv {
field_split => ";"
value_split => "="
trim_value => "\s"
}
date {
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
target => "@timestamp"
timezone => "Europe/London"
}
mutate {
gsub => [ "UserName", "(.*\\)", "" ]
gsub => [ "ComputerIPAddress", "\r", "" ]
remove_field => [ "message" ]
}
}
}
Thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.