Hello there
Im generating new field based on this entry a serial number and a status
34401910175945 ,ON
The with this regular expression
(?<serial_number>.*[0-9])\s(?<my_status>[^,].\w+)
I get
{
"serial_number": [
"34401910175945"
],
"my_status": [
",ON"
]
}
But am not being able to remove the coma ( , ) character, what am I missing?
Thanks
You could use split https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-split
filter {
mutate {
split => { "fieldname" => " ," }
}
}
Don't include it in the capture group, put it next to the \s preceding the second capture group.
@philippkahr
Thanks for your help, now Im getting this
"my_status": [
"",
"ON"
From logstash log I see this
"my_status" => [
[0] "",
[1] "ON"
The coma is not removed should it be?
Can I do something like update => { "my_status" => "%my_status[1]" } ?
Regards
The , you are mentioning is just json notation, so that has to be there 
@philippkahr
You are right, so , back to my question, how can I remove the ( , ) from the field to have something like this?
"my_status": "ON",
My regular expression seems to be bad, Im creating a temporary field like this:
mutate {
copy => { "message" => "message_tmp" }
}
grok {
match => {
"message_tmp" => "(?<serial_number>.*[0-9])\s(?<my_status>[^,].\w+)"
Thank you!
Regards
replace => {
{ "my_status" => "%{my_status[1]}" }
}
So your entire pipeline would be something like this (pseudocode)
mutate {
copy => { "message" => "message_tmp" }
},
mutate {
split => { "fieldname" => " ," }
},
replace => {
{ "my_status" => "%{my_status[1]}" }
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.