Logstash Filtering split

Elk_huh · April 15, 2019, 6:50pm

How would I filter "fileWriteEvent/username": "domain\bob132" so that I can create a new field
( basically taking out hte domain\)
Username: bob132

Badger · April 15, 2019, 7:30pm

    mutate { add_field => { "username" => "domain\bob132" } }
    mutate { gsub => [ "username", ".*[\\]", "" ] }

Elk_huh · April 15, 2019, 7:36pm

That mutate gsub statement is what i needed. Thank you! . Can you explain that syntax

Badger · April 15, 2019, 8:03pm

It says to match zero or more of any-character, followed by one character of the group containing backslash.

Trying to get a single backslash into the configuration can be a challenge. This is a standard trick used in mutate+gsub.

system · May 13, 2019, 8:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Proper RegEx with Mutate>GSub Logstash	2	3340	May 22, 2020
HALP! Changing two backslashes to one! Logstash	3	404	October 29, 2019
Gsub syntax to remove all before \ Logstash	3	1963	November 6, 2017
Logstash gsub: how to replace with backslash? Logstash	1	1521	July 6, 2017
Struggling to replace a string in a syslog message with sub Logstash	5	413	July 21, 2022