Logstash masking logs syntax


I want to mask some logs in spesific fields, for example if end point ends with api or token i want to remove userKey messages from field ResponseMessage

But not whole field that i want to remove or mask, only the userKey message.

Is it possible to do it? userKey is not an field for our logs.

I wrote something like this but it's not working;

filter {
 if "PROD" in [tags] {
   if "api","token" in [EndPoint]
 mutate {
 gsub => ["ResponseMessage","(?im)(\\?\"([\w\d]*?(encryptionKey|userKey)[\w\d]*?)\\?\"\:\\?\s\\?\")(.*?)(\\\"|\"|,|})", "\1***\5"]

What would you like that to mean?

Actually it was only for "api" , i used it for if there is any "api" value in EndPoint i wanted to filter for it

I want to use filter like this

"Is there a way i can do the following using logstash filters:
I have an ID stored in a field example id: 123456789.
I want to replace first 5 digits with an 'x'. so that id looks like, id:xxxxx6789.
How can i do this in logstash filters?"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.