Logstash strip string from field

Elastic Stack Logstash
1

Hi guys.

In my logstash stream, I have a some filter to add a fields which is the merging of other fields.

as follow:

if [destinationUserName] and [sourceUserName] {
    mutate { add_field => { "userID" => "%{ad.loginName}" } }
}   else if [destinationUserName] {
    mutate { add_field => { "userID" => "%{destinationUserName}" } }
} else if [sourceUserName] {
    mutate { add_field => { "userID" => "%{sourceUserName}" } }

this works just file, expect the field ad.loginName is a field that looks like this

ad.loginName
user\0001

when the merge happens, my userID field looks like this.

userID
user\0001

I was wondering if there is a way how i can strip the user\and keep only the number so that in the userID I will have some thing like this

userID
0001

thank you very much for any help you can provide

2

Try

mutate { gsub => [ "ad.loginName", "user[\\]", "" ] }
3

thank you very much for your reply and solution. I do have another question about this process.
because the stripping, forced the new field do drop all the leading zero. can I post the question here or open a new topic for it?

4

You could use

mutate { gsub => [ "ad.loginName", "^0+", "" ] }`
5

sorry for this question, I just want to understand that bit of code.

mutate { gsub => [ "ad.loginName", "^0+", "" ] }

will simply keep the zeros that had before right?

so if it has 3 zeros, will keep them?

6

^ anchors the pattern to the beginning of the string. + means "one or more". So this will replace one or more zeroes at the start of the string with "". That is, it will delete them.

7

Perfect, but I want to keep the zeros not remove them.

right now if we consider this original string:

user\0001

after the gsub on the first solution, I am having his output

1

I believe that logstash drops the leading zeros, but I would like to keep them. So as a output after the gsub, I would like to have this

0001

sorry if I didn't explained clearly my problem before.

8

Are you saying that

mutate { gsub => [ "ad.loginName", "user[\\]", "" ] }

removes the zeroes? I can only see that happening if the string is being converted to an integer.

9

Yes, the

mutate { gsub => [ "ad.loginName", "user[\\]", "" ] }

is removing the zeroes also.

Oh ok, so it ok, I will find another way how to process that field, because converting the field to a integer might cause errors in the future probably. thank you very much for your help and time.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.