Hi,
I'm receiving syslogs from different equipment with quite different formats, but every log always starts with something like this:
<188>time=..... or <177>id=.....
So, each time that I apply kv, I got a field named like: <188>time, <187>time and so on.
I would like to trim o remove this part of the field, but a couldn't find a way to write in the conf file an expression to solved it. The result always is that only the first "<" get removed.
Any thoughts?
Use a grok filter to preprocess each log line and extract everything that comes after the prefix to a new field that you feed to kv. Or, use a mutate filter's gsub option to replace the prefix with an empty string.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.