I'm looking to remove specific key=value pair that are inside a STRING.
Say, input event is as follows:
{
"ABC": "10119707",
"Request_StartTime": "1558952196175",
"Severity": "INFO",
"UUID": "481e8cfa-399c-4996-a4d3-7e9b7ec866fa",
"Src_LogMsg": "type=abc, user=abc.def, vid=1111, api=fooapi, email=abc.def@gmail.com, cat=1",
"@version": "1",
"@timestamp": "2019-05-27T10:16:36.180Z",
"Src_Host": "Hostname",
"Request_IpAddress": "1.1.1.1"
}
I want to remove the key=value pair user=abc.def
from the Src_LogMsg
string. The following works:
filter {
if [Src_LogMsg] =~ /.+/ {
mutate {
gsub => ["Src_LogMsg","(user=(.+?)\s)",""]
}
}
But if the user=abc.def
is at the end
of Src_LogMsg
as opposed to being in middle
, then the above doesn't work. Please see the below screenshots:
Here user=abc.def
is in the middle with cat=1
being the last k=v pair
Here user=abc.def
is at the end of Src_LogMsg
string. It's not removed.
Test string from which user=xyz is successfully removed
{"ABC": "10119707", "Request_StartTime": "1558952196175", "Severity": "INFO", "UUID": "481e8cfa-399c-4996-a4d3-7e9b7ec866fa", "Src_LogMsg": "type=abc, user=abc.def, vid=1111, api=fooapi, email=abc.def@gmail.com, cat=1", "@version": "1", "@timestamp": "2019-05-27T10:16:36.180Z", "Src_Host": "Hostname","Request_IpAddress": "1.1.1.1"}
Test string from which user=xyz is NOT removed:
{"ABC": "10119707", "Request_StartTime": "1558952196175", "Severity": "INFO", "UUID": "481e8cfa-399c-4996-a4d3-7e9b7ec866fa", "Src_LogMsg": "type=abc, vid=1111, api=fooapi, email=abc.def@gmail.com, cat=1, user=abc.def", "@version": "1", "@timestamp": "2019-05-27T10:16:36.180Z", "Src_Host": "Hostname","Request_IpAddress": "1.1.1.1"}
Can someone please help me form the correct regex that will remove the user=abc.def k=v pair irrespective of its location within the Src_LogMsg
field.
Logstash.conf:
input {
stdin {
codec => json
}
}
filter {
if [Src_LogMsg] =~ /.+/ {
mutate {
gsub => ["Src_LogMsg","(user=(.+?)\s)",""]
}
}
}
output {
stdout { codec => rubydebug { metadata => true } }
}
Logstash Version: 5.5.1