Logstash configuration remove everything after "-"

ELK 7.16.x

In my logstash file, I have the following configuration:

....
if [kubernetes][namespace] == 'webservices' or [kubernetes][namespace] =~ /webservices-frontend\d+$/ {
        mutate {
          replace => { 'pod_name' => "%{[kubernetes][pod][name]}" }
        }
..
.....
# Example: 
# pod_name is == some-running-pod-frontend1-1234567-975cf7cd9-nzzxl
# or
# pod_name is == some-running-pod-frontend2-76c54B21-8at6C9a7v-baczi
# or
# pod_name is == some-running-pod-frontend1-76c54B21-8at6C9a7v-baczi
# or
# pod_name is == some-running-pod-frontend2-7564321-8at6C9a7v-baczi

# I'm using the following configuration to see if pod_name contains the following pattern using "=~" /somevalue/
....
        else if [pod_name] =~ /some-running-pod-frontend\d+-\d+/ {
          mutate {
            replace => { 'message' => "P00:FRONTEND:%{pod_name}" }
          }
        }

I want message to just contain the pod name stripped value i.e. logical name (rather than using the full pod name which includes "-<number>-<alnum>" part: 
"P00:FRONTEND:some-running-pod-frontend1" 
and 
"P00:FRONTEND:some-running-pod-frontend2"

How can I easily test this config (before committing it to GIT.

Hi @ska,

Welcome back! Have you tried running it locally with an output file configured to try out your change? There is an example in this blog that could help.

You can use a sample of your raw logs and test it locally.

        else if [pod_name] =~ /some-running-pod-frontend\d+-antenna\d+-/ {
          mutate {
            gsub => [
               "pod_name", "(.*-antenna\d{1,2})-.*", "\1"
            ]
            replace => { 'message' => "P00:FRONTEND:%{pod_name}" }
          }
        }

gsub within mutate did the trick

(.*-antenna\d{1,2})-.* == catch string from start up to antenna1, antenna2, or antenna99 first using '(' and ')' i.e. \1 and then ignore anything after (....antennaN)-.*

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.