Help with removing parts of log output

Feedy · February 23, 2018, 5:28pm

I would like to remove, if possible, the \r\n data and replace with a whitespace from the log file below....
Log file:
Feb 20 13:00:10 172.19.1.181 1 2018-02-20T11:50:23.000Z removed-data-vices.com KES|10.2.4.0 - 00000193 [event@23668 et="00000193" tdn="Application Privilege Control" etdn="Application Privilege Control rule triggered" hdn="ABC-DE-AA-003" hip="10.148.123.22"] Event type: Application Privilege Control rule triggered\r\nApplication\Name: MOM Client Software\r\nApplication\Path: c:\program files\removed_client\\r\nApplication\Process ID: 7928\r\nUser: ABC\nobody (Active user)\r\nComponent: Application Privilege Control\r\nResult\Description: Allowed\r\nResult\Type: Registry access\r\nResult\Name: SystemServices2\r\nResult\Threat level: Low\r\nResult\Precision: Exactly\r\nAction: Create\r\nObject: hklm\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\r\nObject\Type: Registry key\r\nObject\Path: hklm\SYSTEM\CONTROLSET001\SERVICES\TCPIP\\r\nObject\Name: PARAMETERS\r\nReason: SystemServices2\r\n

I've tried the mutate filter testing just one named field for testing but not getting expected results:

mutate {
 gsub => [
   "Type2", "[(\r\n|\r|\n)]", ""
   ]
  }

Feedy · February 23, 2018, 5:45pm

I think I figured out my issue....rewriting grok pattern now to test....

Badger · February 23, 2018, 5:53pm

On Linux, the following will work, where these are a literal newline and ctrl/M in the string.

mutate { 
gsub => [ "message", "[
^M]", "" ]
}

system · March 23, 2018, 5:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.