How do perform string manipulations


(Samnik60) #1

the string manipulations has been hard from me with logstash, how do i do substr(destinationid,instr(destinationid,"discard"),7)


(Magnus Bäck) #2

Wouldn't substr(destinationid,instr(destinationid,"discard"),7) always return "discard"? Perhaps you can give an example of an input string and the desired result.


Get 10 characters before substring in logstash?
(Samnik60) #3

destinationid=aadiscardsomething

it is for substr(destinationid,instr(destinationid,"discard"),14)

i want to extract "discardsome"


(Magnus Bäck) #4

You can use a grok filter to extract strings from other strings.

grok {
  match => ["destinationid", "(?<fieldname>discard.{7})"]
}

This extracts a new field named fieldname from the field destinationid, starting with "discard" and followed by the seven characters thereafter, i.e. if destinationid contains "aadiscardsomething" then fieldname will contain "discardsomethi".


(Samnik60) #5

Thanks a lot. Can u suggest some document which i can refer to avoid these queries in future :smile:.


(Magnus Bäck) #6

How about the grok filter's documentation?


(Samnik60) #7

Well its not much on examples or complete syntax ,
for example i did see Custom Patterns but i couldnt figure out how to use it in the filter but
after seeing your post grok {
match => ["destinationid", "(?discard.{7})"]
}
now i get it . May be i will get used to this in a while.

For example now i am puzzled with what to do if i need the rest of the string without specifying length.

do i use
grok {
match => ["destinationid", "(?discard)"] , i guess i have to do trial and error
}

Thanks,
sam


(Magnus Bäck) #8

Well its not much on examples or complete syntax ,

What part of the syntax isn't covered?

For example now i am puzzled with what to do if i need the rest of the string without specifying length.

You mean all of the string from "discard" and onwards? Just use (?<fieldname>discard.*).

do i use
grok {
match => ["destinationid", "(?discard)"] , i guess i have to do trial and error
}

If you format the configuration snippets as code you won't run the risk of getting things stripped because the look like HTML (or whatever).


(system) #9