Logstash strip string from field

Elastic Stack Logstash
1

Hi guys.

In my logstash stream, I have a some filter to add a fields which is the merging of other fields.

as follow:

if [destinationUserName] and [sourceUserName] {
    mutate { add_field => { "userID" => "%{ad.loginName}" } }
}   else if [destinationUserName] {
    mutate { add_field => { "userID" => "%{destinationUserName}" } }
} else if [sourceUserName] {
    mutate { add_field => { "userID" => "%{sourceUserName}" } }

this works just file, expect the field ad.loginName is a field that looks like this

ad.loginName
user\0001

when the merge happens, my userID field looks like this.

userID
user\0001

I was wondering if there is a way how i can strip the user\and keep only the number so that in the userID I will have some thing like this

userID
0001

thank you very much for any help you can provide

2

Try

mutate { gsub => [ "ad.loginName", "user[\\]", "" ] }
3

thank you very much for your reply and solution. I do have another question about this process.
because the stripping, forced the new field do drop all the leading zero. can I post the question here or open a new topic for it?

4

You could use

mutate { gsub => [ "ad.loginName", "^0+", "" ] }`
5

sorry for this question, I just want to understand that bit of code.

mutate { gsub => [ "ad.loginName", "^0+", "" ] }

will simply keep the zeros that had before right?

so if it has 3 zeros, will keep them?

6

^ anchors the pattern to the beginning of the string. + means "one or more". So this will replace one or more zeroes at the start of the string with "". That is, it will delete them.

7

Perfect, but I want to keep the zeros not remove them.

right now if we consider this original string:

user\0001

after the gsub on the first solution, I am having his output

1

I believe that logstash drops the leading zeros, but I would like to keep them. So as a output after the gsub, I would like to have this

0001

sorry if I didn't explained clearly my problem before.

8

Are you saying that

mutate { gsub => [ "ad.loginName", "user[\\]", "" ] }

removes the zeroes? I can only see that happening if the string is being converted to an integer.

9

Yes, the

mutate { gsub => [ "ad.loginName", "user[\\]", "" ] }

is removing the zeroes also.

Oh ok, so it ok, I will find another way how to process that field, because converting the field to a integer might cause errors in the future probably. thank you very much for your help and time.