How to remove subfield using pattern

jerry-chen-315 · August 20, 2018, 7:10am

logstash version 6.2.1

my message like this:

{"@timestamp":"2018-08-12T15:53:02Z","hostanme":"server-oem","hostip":"162.12.1.240","tag":"auditlog","event_id":521244,"EXECVE":{ "type": "EXECVE", "argc": "28", "a0": ""find"", "a1": ""/var/log/sa/"", "a2": ""("", "a3": ""-name"", "a4": ""sar??"", "a5": ""-o"", "a6": ""-name"", "a7": ""sa??"", "a8": ""-o"", "a9": ""-name"", "a10": ""sar??.gz"", "a11": ""-o"", "a12": ""-name"", "a13": ""sa??.gz"", "a14": ""-o"", "a15": ""-name"", "a16": ""sar??.bz2"", "a17": ""-o"", "a18": ""-name"", "a19": ""sa??.bz2"", "a20": "")"", "a21": ""-mtime"", "a22": ""+7"", "a23": ""-exec"", "a24": ""rm"", "a25": ""-f"", "a26": ""{}"", "a27": "";"" }}`

my filter like this:

filter {
ruby {
code => "event['EXECVE'].keys.each { |k|
event['EXECVE'].remove(k) if k.start_with?('a')
}
"
}
}

But no field removed.

If i wanna remove some fields like a10,a11,a12... aNN,Can i use regex with "start_with" and how?

jerry-chen-315 · August 27, 2018, 1:32am

anything is appreciate

wwalker · August 31, 2018, 7:15pm

Every filter supports the common option, remove_field...so something like:

filter {
  mutate {
    id => "Field Removal"
    remove_field => [
      "[execve][a10]",
      "[execve][a11]",
      "[execve][a12]"
    ] 
  }
}

system · September 28, 2018, 7:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.