How to escape field values for elasticsearch filter query?

I'm using the elasticsearch filter to enrich an event coming from a database. I'm using a fairly simple query:

query => "usernames.keyword:%{[userid]}@%{[domain]}"

It works fine, usually. However, I have instances where the userid field contains a forward slash. In that case, Elasticsearch fails to parse the query, because the slash isn't being escaped. Is there a better way to accomplish that (for all characters that need escaping) than using a mutate filter before the elasticsearch filter to populate a temporary field to be used in the elasticsearch query?

query => 'usernames.keyword:"%{[userid]}@%{[domain]}"'

Recent versions of Logstash supports standard escapes in strings if you enable it with a command-line option.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.