So, I thought this would be trivial, right?
gsub => ["message","\\\\","\\"]
but... nop, it doesn't work. Logstash no like it. There's this field with domain and username that comes out as domain\\username from the log message. Everything else is already working nicely, but when I uncomment that specific line...
Expected one of #, {, ,, ] at line
Never mind, it was just ruby_debug log escaping a single backslash...
In case you ever do need to do it (or someone's forum search gets a hit on your title) it is hard to get logstash to allow a backslash before the closing quote surrounding a string, so you represent each backslash using one occurrence of the character class that only includes backslash, then use a capture group in the replacement string
mutate { gsub => [ "someField", "([\\])[\\]", "\1" ] }This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.