Logstash Ruby Code string

jonathan01 · June 4, 2019, 4:34pm

I am new to this and I am a little stuck.
I have a input from metric beats

"windows" => {
"perfmon" => {
"ica" => {
"output_pn_bandwidth" => 0,
"name" => "ICA-CGP 33 (jgillman)"
}
}

I need to get the user name from the name field. The user name will change it could be jgillman or r.little .... etc
In my logstash conf file I put
mutate {
add_field => { "user" => "%{[windows][perfmon][ica][name]}"}
}

ruby {
    code => "event.set('USER2', event.get('user')[12..30])"
}

the out put that I get is "USER2" => "jgillman)"
the problem is the last ")"
how would I get rid of that?

Badger · June 4, 2019, 5:11pm

I would not use ruby for that. Instead try

mutate { gsub => [ "user", ".*\((.*)\)", "\1" ] }

jonathan01 · June 4, 2019, 5:26pm

thanks so much that worked

jonathan01 · June 4, 2019, 5:31pm

I am new to this could you please explain the code

Badger · June 4, 2019, 5:38pm

It is .* (anything) followed by a literal (, followed by a capture group () that contains .* (anything), followed by a literal ). That matches the entire string, and the gsub replaces that (the entire string) with \1 (the value of the first capture group, which is everything inside the ( and )).

system · July 2, 2019, 5:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash strip string from field Logstash	9	770	August 30, 2021
Need to parse field name via logstash Logstash	5	471	January 16, 2020
Parsing an existing field further Logstash	6	389	September 10, 2021
Logstash add_field Logstash	7	37652	July 6, 2017
コピーしたフィールドから〇文字抜き出す方法 Logstash	3	872	July 10, 2019

Logstash Ruby Code string

Related topics