I have a log winlog.evend_data.RuleName : technique_Id=T2343,techniqueName=asdfdasd
I want to change it to winlog.evend_data.RuleName : technique_Id : T4343 , techniquw_name : asdfdasd
I just need the regular expression for this.
NOTE: Please don't share useless links be specific .. I don't need generic solutions. And Don't post Gork tutorials videos etc
Try using gsub filter,
mutate {
gsub => [
# replace equals with a colon ":"
"winlog.evend_data.RuleName", "[=]", ":"
]
}
Assumes winlog.evend_data.RuleName is a field name.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.