I have an incoming field designated as source with the following "/mnt/rsyslog_custom/nagios-prod-na2-san3/nagios_na2_6065". I want to use logstash to remove all but "nagios-prod-na2-san3". Is there a way to accomplish this? I have a regex " > /^(?:[^/]/){3}([^/]) "that works, but I don't know how to implement it using logstash.
Either use a mutate filter and its gsub option to strip the unwanted prefix or use a grok filter to extract the wanted piece to a new field.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.