Logstash - how to remove strings within a field (whose content itself a raw string)?

helloworld1234 · October 13, 2021, 2:18am

I have a event that consists of various fields, one of which is called "raw_message". This field's contents is a raw string eg.

Input:

raw_message: "Raw user details:: [location:london name:kris wu id:L3j5k category:vip]"

Output:

raw_message: "Raw user details:: [location:london category:vip]"

I would like to remove name and id from this field. I understand remove_field doesnt work for the mutate or filter plugin since that function removes the entire field which is not what I'm looking for.

Badger · October 13, 2021, 2:44am

You may be able to do it using mutate+gsub.

helloworld1234 · October 13, 2021, 4:53am

Thanks for the reply. Correct me if i misunderstood gsub, but wouldnt it only replace the highlighted field?

i.e.

 filter {
      mutate {
        gsub => [
          # replace all forward slashes with underscore
          "raw_message", "name", "****",
        ]
      }
    }

input:

raw_message: "Raw user details:: [location:london name:kris wu id:L3j5k category:vip]"

output:

raw_message: "Raw user details:: [location:london ****:kris wu id:L3j5k category:vip]"

Badger · October 13, 2021, 4:22pm

You could try something like

mutate { gsub => [ "raw_message", "name:\w+ ", "" ] }

system · November 10, 2021, 4:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.