Hello,
How can I manage log lines which have multiple /n and /r characters with Grok?
The log line here is a multiline and looking to replace the /r /n with "".
My filter looks like this :
filter{
grok {match => ["message","%{TIMESTAMP_ISO8601:timestamp}|%{GREEDYDATA:call_trace}"]}
mutate {gsub => ["call_trace", "\r\n", ""]}
}
But it doesnt work.
Any suggestions?
Thanks in advance
You can use the strip option:
mutate {
strip => ["call_trace"]
}
I believe Strip is used only to remove trailing and leading white spaces. In my case I want to remove carriage returns/new lines
It also removes \n. For \r, ou might want to test it
Just tried using strip on that field but no luck 
I managed to get it working by using the below filter.
filter{
mutate { gsub => [ "message", "[\n]", "" ] }
}
Thanks for the assistance.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.