Hi
I tried to change a value in a field for use it like id but i couldn't modify the field value with gsub
The data i have in the field is like this: rId = ABC0_L123456_789012 and only data i want is 123456 from rId, this is my config
add_field => ["rNum","%{rId}]
gsub => [ "rNum","^.L","","rNum","_.",""]
what I get in elastic is the rId and rNum with the same value, gsub is not working properly with my set tup
Hi,
The main error here is that the use of . without any character of repetition.
Error :
^.L search 1 character before a L at the beginning of the line.
Correction :
^.*L search 0 or more character since the beginning of the line until he found a L .
Error:
_. search 1 character after a _.
Correction :
_.*$ search 0 or more character until the end of the line after a _.
So
gsub => [
"rNum", "^.L", "",
"rNum", "_.", ""
]
Have to be replaced by
gsub => [
"rNum", "^.*L", "",
"rNum", "_.*$", ""
]
I will try asap
Thanks a lot!
It doesn't work, I get the same data in rId and rNum.
BR
Is it write like that in your logstash configuration file ?
Because add_field take a hash not an array
add_field => ["rNum","%{rId}"]
So how could i apply the gsub?
I think the error came from the add_field.
In the documentation, about the add_field, we can found If this filter is successful, add any arbitrary fields to this event so i think, the add field is execute after the gsub. That's why rNim and rld have the same value.
Use copy option instead.
mutate {
copy => {
"rld" => "rNum"
}
gsub => [
"rNum", "^.*L", "",
"rNum", "_.*$", ""
]
}
Correct, the order of operations is
Thanks, I will try with copy, but @Badger said that copy is afer gsub, too. Tomorrow i will update you, Thanks!!!
Split the mutate filter into two mutate filters if you want to force the order.
Like this ???
Like that, except you have an extra => in the second mutate.
Thanks, tomorrow i will update, thanks!
@Badger thanks a lot, two mutates solve my issue!! BR
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.