Hello,
I have some syslogs to parse which are in a very basic comma delimited format. Everything looks and works fine apart from a file path with backslashes.
I've seen several suggestions on the forum around mutate and gsub but I've no idea where to put them!
Below is an example in the elastic Dev Tools section for Security Onion
POST _ingest/pipeline/_simulate
{
"pipeline": {
"description": "logparsetest",
"processors": [
{
"dissect": {
"field": "message",
"pattern" : "%{Junk1},%{Junk2},%{FilePath},%{SomethingElse}"
}
}
]
},
"docs": [
{
"_source": {
"message": "Junk1,Junk2,c:\somepath\example.exe,se"
}
}
]
}
Can someone please advise where I would put the processing in the above to fix the error 'Unrecognized character escape'?
Many thanks