Logstash Dissect and mutate filter

osheap · February 19, 2019, 2:37pm

I am trying to strip a number of characters from a field:
"192.168.0.1/12345" should become "192.168.0.1" for example. I tried to create a mutate/split filter and that sort of does something as it splits the field into 192.168.0.1, 12345.

There must be a very easy way to achieve what I want to achieve, I have been looking for other examples but have not found one.

This is how my filter in logstash.conf looks like (before this a Grok filter correctly sorts out the syslog fields)

</>
filter {
if [syslog_program] == "dnsmasq" {
dissect {
mapping => {
"message" => "%{} %{} %{} %{} %{} %{} %{dns_source} %{} %{dns_resolv}"
}
}
mutate {
split => { "dns_source" => "/" }
}
}
}
</>

Many thanks for your help!

Badger · February 19, 2019, 2:59pm

If you want to discard the port number, you could use

mutate { gsub => [ "someField", "(.*)/.*", "\1" ] }

If you want to split it then

dissect { mapping => { "someField" => "%{ip}/%{port}" } }

osheap · February 19, 2019, 3:23pm

Thanks Badger, the first statement achieved exactly what I wanted !

system · March 19, 2019, 3:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Regarding Split filter in mutate Logstash	4	221	July 28, 2022
Problem with "split" and "add_field" in mutate filter Logstash	5	5472	December 19, 2019
Strip in mutate filter Logstash	3	1112	March 14, 2019
Help using logstash dissect filtering Logstash	3	325	June 18, 2019
Breaking down a field Logstash	4	366	January 7, 2019

Logstash Dissect and mutate filter

Related topics