Pulling what's left of my hair out trying to get this field to properly display. I have log data coming in from a firewall in key=value format. I'm using kv to parse all the fields out and I'm left with a field called [user][name]. I'm trying to remove the domain so I get just the user, but I can't seem to find the magic sauce that works.
In Kibana, under table view, the message field shows user=domain\\it4all and in JSON view it shows user=\"domain\\\\it4all\". I've tried about a dozen different expressions but none of them are working. I thought to list out what i tried but I can't fully remember and I don't want to list something that does work and I thought I tried but didnt. Currently, the following is in my pipeline and not working:
mutate {
gsub => [
"[user][name]", "^\w+'\\'", ""
]
}