How would I filter "fileWriteEvent/username": "domain\bob132" so that I can create a new field
( basically taking out hte domain\)
Username: bob132
mutate { add_field => { "username" => "domain\bob132" } }
mutate { gsub => [ "username", ".*[\\]", "" ] }That mutate gsub statement is what i needed. Thank you! . Can you explain that syntax
It says to match zero or more of any-character, followed by one character of the group containing backslash.
Trying to get a single backslash into the configuration can be a challenge. This is a standard trick used in mutate+gsub.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.