How to remove double sign equal

Travis · October 2, 2019, 2:27pm

Hello,

I have logs like this :

field1=value field2=value somedata==blablafoo field3=value

I use kv to parse the logs.
I have to remove double sign equal (==) because kv interpet this as a field, but when I use :

mutate {
gsub => [ "message", "[\=\=]", "" ]
}

or

mutate {
gsub => [ "message", "[\==]", "" ]
}

It remove ALL sign equal, and so kv filter is no more working.... Logs looks like :

field1value field2value somedatablablafoo field3value

I just want to remove only double sign equal.

Desired output :

field1=value field2=value somedatablablafoo field3=value

Have you some idea to figure this out ?

Thank you

Badger · October 2, 2019, 2:34pm

Use =+, meaning one or more equals signs, and replace with a single...

mutate { gsub => [ "message", "=+", "=" ] }

If the fact that that replaces a single equals sign with itself bothers you then you could use

mutate { gsub => [ "message", "={2,}", "=" ] }

Travis · October 2, 2019, 2:49pm

Thanks a lot @Badger ! This has solved my issue :

gsub => [ "message", "={2,}", "" ]

(personal reminder : read more clearly the documentation )

system · October 30, 2019, 2:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.