Logstash - how to remove strings within a field (whose content itself a raw string)?

helloworld1234 · October 13, 2021, 2:18am

I have a event that consists of various fields, one of which is called "raw_message". This field's contents is a raw string eg.

Input:

raw_message: "Raw user details:: [location:london name:kris wu id:L3j5k category:vip]"

Output:

raw_message: "Raw user details:: [location:london category:vip]"

I would like to remove name and id from this field. I understand remove_field doesnt work for the mutate or filter plugin since that function removes the entire field which is not what I'm looking for.

Badger · October 13, 2021, 2:44am

You may be able to do it using mutate+gsub.

helloworld1234 · October 13, 2021, 4:53am

Thanks for the reply. Correct me if i misunderstood gsub, but wouldnt it only replace the highlighted field?

i.e.

 filter {
      mutate {
        gsub => [
          # replace all forward slashes with underscore
          "raw_message", "name", "****",
        ]
      }
    }

input:

raw_message: "Raw user details:: [location:london name:kris wu id:L3j5k category:vip]"

output:

raw_message: "Raw user details:: [location:london ****:kris wu id:L3j5k category:vip]"

Badger · October 13, 2021, 4:22pm

You could try something like

mutate { gsub => [ "raw_message", "name:\w+ ", "" ] }

system · November 10, 2021, 4:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove contents of field from another field Logstash	3	397	April 4, 2018
Logstash strip string from field Logstash	9	770	August 30, 2021
Remove part of message string Logstash	7	19260	December 21, 2016
How to remove %3A and such hash in text while parsing? Logstash	6	490	August 21, 2021
How to replace or remove hyphen (-) in a string field Logstash	2	1483	April 27, 2019

Logstash - how to remove strings within a field (whose content itself a raw string)?

Related topics