Problem to replace field string "|" with mutate gsub filter

esportuga · May 11, 2020, 9:48pm

Hello,
My problem has two solutions that I can use. At the moment I am not achieving success in any.

My log

2020-04-30T13: 48: 17.954 Int 50141 009401EA-1003849D 3553384768 custom_var navigation|4300; 4201; 7001; 8001; 9000

Solution 1
Try to separate the data after the "|" character:

grok {
    #match => {"message" => "% {TIMESTAMP_ISO8601: log_data_evento}% {SPACE}% {GREEDYDATA: data_log}"}
    match => {"message" => "% {TIMESTAMP_ISO8601: timestamp}% {SPACE}% {WORD}% {SPACE}% {NUMBER}% {SPACE}% {NOTSPACE: field1}% {SPACE}% {NUMBER} % {SPACE} custom_var navigation|%{GREEDYDATA: detail} "}
  }

It didn't work, the grok fails.

Solution 2
Grok differently and remove the character "|" with a mutate gsub filter.

I managed to make the grok so that the "detail" field has this value:

|4300; 4201; 7001; 8001; 9000

I tried to replace the character "|" blank with the gsub filter as shown below:

filter {
mutate {
      gsub => ["detail", "|", ""]
}
}

However, the character remains intact.
Am I doing something wrong? Any solution?

Thank you

esportuga · May 11, 2020, 10:12pm

Ok

Im fixed this with

system · June 8, 2020, 10:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Replacing Special Characters Logstash	1	957	April 6, 2018
Logstash gsub filter with special characters not working Logstash	3	1289	June 5, 2018
How to replace 'special characters' with a logstash filter Logstash	3	43853	July 6, 2017
Trouble replacing a "\|\|" Logstash	1	241	July 6, 2017
Replace multiple patterns with gsub mutate filter Logstash	2	5003	July 6, 2017

Problem to replace field string "|" with mutate gsub filter

Related topics