LOGSTASH - GSUB - DOESN'T MATCH

Daniel_Lopez · July 21, 2021, 6:32am

Hi

I tried to change a value in a field for use it like id but i couldn't modify the field value with gsub

The data i have in the field is like this: rId = ABC0_L123456_789012 and only data i want is 123456 from rId, this is my config

add_field => ["rNum","%{rId}]
gsub => [ "rNum","^.L","","rNum","_.",""]

what I get in elastic is the rId and rNum with the same value, gsub is not working properly with my set tup

Cad · July 21, 2021, 12:06pm

Hi,

The main error here is that the use of . without any character of repetition.

Error :
^.L search 1 character before a L at the beginning of the line.
Correction :
^.*L search 0 or more character since the beginning of the line until he found a L .

Error:
_. search 1 character after a _.
Correction :
_.*$ search 0 or more character until the end of the line after a _.

So

gsub => [ 
    "rNum", "^.L", "",
    "rNum", "_.", ""
]

Have to be replaced by

gsub => [ 
    "rNum", "^.*L", "",
    "rNum", "_.*$", ""
]

Daniel_Lopez · July 21, 2021, 5:00pm

I will try asap

Thanks a lot!

Daniel_Lopez · July 22, 2021, 9:29am

It doesn't work, I get the same data in rId and rNum.

BR

Cad · July 22, 2021, 10:24am

Is it write like that in your logstash configuration file ?
Because add_field take a hash not an array

Daniel_Lopez · July 22, 2021, 12:37pm

add_field => ["rNum","%{rId}"]
So how could i apply the gsub?

Cad · July 22, 2021, 1:24pm

I think the error came from the add_field.
In the documentation, about the add_field, we can found If this filter is successful, add any arbitrary fields to this event so i think, the add field is execute after the gsub. That's why rNim and rld have the same value.

Use copy option instead.

mutate {
    copy => { 
        "rld" => "rNum"
    }
    gsub => [ 
        "rNum", "^.*L", "",
        "rNum", "_.*$", ""
    ]
}

Badger · July 22, 2021, 3:33pm

Correct, the order of operations is

coerce
rename
update
replace
convert
gsub
uppercase
capitalize
lowercase
strip
remove
split
join
merge
copy
add_field
remove_field
add_tag
remove_tag

Daniel_Lopez · July 22, 2021, 3:55pm

Thanks, I will try with copy, but @Badger said that copy is afer gsub, too. Tomorrow i will update you, Thanks!!!

Badger · July 22, 2021, 4:07pm

Split the mutate filter into two mutate filters if you want to force the order.

Daniel_Lopez · July 22, 2021, 6:04pm

Like this ???

Badger · July 22, 2021, 6:24pm

Like that, except you have an extra => in the second mutate.

Daniel_Lopez · July 22, 2021, 8:16pm

Thanks, tomorrow i will update, thanks!

Daniel_Lopez · July 23, 2021, 7:18am

@Badger thanks a lot, two mutates solve my issue!! BR

system · August 20, 2021, 7:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.