I have this message string: "foo,bar,domain\name,blah
I need to split it into fields so it looks like this:
field[0]: foo
field[1]: bar
field[2]: domain\user
field[3]: blah
but the split filter splits the message using the backslash "n" first, then splits on the comma so I end up with two messages. The string literally contains "\n" in cases where the user's name starts with the letter "n". I need to first replace the backslash with 2 backslashes, then split on the comma terminator.
Why do you think you need to transform the backslash?
input { generator { count => 1 lines => [ 'foo,bar,domain\name,blah' ] } }
filter { mutate { split => { "message" => "," } } }
output { stdout { codec => rubydebug { metadata => false } } }
will produce
"message" => [
[0] "foo",
[1] "bar",
[2] "domain\\name",
[3] "blah"
],
If you really do want to replace one backslash with two you can use
mutate { gsub => [ "message", "[\\]", "\XXX\XXX", "message", "XXX", "" ] }
which will produce
"message" => "foo,bar,domain\\\\name,blah",Thanks, there was something about the way I was sending data to the logstash listener via syslog forwarder. When I send a payload straight to the tcp listener via netcat, it behaves how you said it should. I will explore why it is different coming from my forwarder.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.