amaleswar
July 8, 2020, 12:42pm
1
Hello Team,
I want to delete anything after dll, example showing below. I`m trying to use mutate gsub but failing
Parsed data:
After Applying gsub
Output after gsub applied:
[ 0] "c:\\windows\\system32\\nlldll9c34",
[ 1] "c:\\windows\\system32\\kerasedll6a7f",
[ 2] "c:\\windows\\system32\\lsmdllff97"
Expected Output:
[ 0] "c:\windows\system32\nll.dll
My target is to remove everything after .dll in array using gsub or any other
Jenni
July 8, 2020, 12:56pm
2
[+.{1,5}] is a character set and searches for +, ., {, 1, ,, 5 and }.\+.{1,5} is what you actually wanted to do (The plus and one to five characters after it.)\+.*.dll, even if there is no plus, would be (?<=\.dll).*
amaleswar
July 8, 2020, 1:25pm
3
Hello Jenni Thanks for the response. I tried the option above, since array of objects it is working only 1 line.
Here is the result
"CallTrace" => [
not working on remaining.
Jenni
July 8, 2020, 2:02pm
4
Strange, I just tried this test configuration in Logstash 7.7.1 with logstash-filter-mutate (3.5.0):
input {
stdin{}
}
filter {
mutate {
add_field => {
"[winlog][event_data][CallTrace]" => [
"c:\windows\system32\nll.dll+92c34",
"c:\windows\system32\kerase.dll+6a7f5",
"c:\windows\system32\lsm.dll+ff97"
]
}
}
mutate {
gsub => [
"[winlog][event_data][CallTrace]", "(?<=\.dll).*", ""
]
}
}
output {
stdout {}
}
and got:
{
"@timestamp" => 2020-07-08T13:58:51.069Z,
"message" => "warghs",
"host" => "##########",
"@version" => "1",
"winlog" => {
"event_data" => {
"CallTrace" => [
[0] "c:\\windows\\system32\\nll.dll",
[1] "c:\\windows\\system32\\kerase.dll",
[2] "c:\\windows\\system32\\lsm.dll"
]
}
}
}
1 Like
amaleswar
July 8, 2020, 4:17pm
5
Found the issue. I suppose to use other mutate block instead of one. Thanks for your help.
system
August 5, 2020, 4:17pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.