Logstash Dissect and mutate filter

osheap · February 19, 2019, 2:37pm

I am trying to strip a number of characters from a field:
"192.168.0.1/12345" should become "192.168.0.1" for example. I tried to create a mutate/split filter and that sort of does something as it splits the field into 192.168.0.1, 12345.

There must be a very easy way to achieve what I want to achieve, I have been looking for other examples but have not found one.

This is how my filter in logstash.conf looks like (before this a Grok filter correctly sorts out the syslog fields)

</>
filter {
if [syslog_program] == "dnsmasq" {
dissect {
mapping => {
"message" => "%{} %{} %{} %{} %{} %{} %{dns_source} %{} %{dns_resolv}"
}
}
mutate {
split => { "dns_source" => "/" }
}
}
}
</>

Many thanks for your help!

Badger · February 19, 2019, 2:59pm

If you want to discard the port number, you could use

mutate { gsub => [ "someField", "(.*)/.*", "\1" ] }

If you want to split it then

dissect { mapping => { "someField" => "%{ip}/%{port}" } }

osheap · February 19, 2019, 3:23pm

Thanks Badger, the first statement achieved exactly what I wanted !

system · March 19, 2019, 3:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.