Remove all backslash from fields in logstash

Elastic Stack Logstash
1

Hello,

what I am trying to do is to remove backslash as well as double quotes from fields after parsing them with kv.

Here is the original input sent to logstash:

<14>1 2023-05-09T15:06:23+02:00 NAS WinFileService - - [synolog@6555 synotype=\"WinFileService\" ip=\"192.168.1.1\" luser=\"TEST\\\\jdoe\" event=\"read\" isdir=\"File\" fsize=\"1.07 MB\" fname=\"/Info Users/2023/05. May/Offer.xlsx\"][meta sequenceId=\"86\"] Event: read, Path: /Info Users/2023/05. May/Offer.xlsx, File/Folder: File, Size: 1.07 MB, User: TEST\\jdoe, IP: 192.168.1.1

What I would like to get is something like that:

{
    "ip": "172.20.70.111",
    "host": "NAS",
    "nas.file.size": "1.07 MB",
    "nas.file.type": "File",
    "nas.file.name": "/Info Users/2023/05. May/Offer.xlsx",
    "domain": "TEST",
    "username": "jdoe",
    "nas.logtype": "WinFileService",
    "nas.event": "read"
}

But what I am currently getting is:

{
    "ip": "172.20.70.111\" ",
    "host": "NAS",
    "nas.file.size": "1.07 MB\" ",
    "nas.file.type": "File\" ",
    "nas.file.name": "/Info Users/2023/05. May/Offer.xlsx\"][meta ",
    "username": "TESTjdoe\" ",
    "nas.logtype": "WinFileService\" ",
    "nas.event": "read\" "
}

Here is my logstash conf file:

  if [type] == "nas" {
  
    mutate {
           gsub => ["message", '= ', '=\"\" ']
	   gsub => ["message", "(\S+=)", ", \1"]
    }
    mutate {
       gsub => ["message", '\\"', "'"]
    }

    mutate {
           strip => "message"
	   gsub => ["message","[\\]",""]
    }
	
    kv {
          source => "message"
	  field_split => ","
          trim_value => '"\''
	  trim_key => "\s"
    }
  
    mutate {
      remove_field => [
          "@version",
          "host",
	  "sequenceId"
      ]
    }
    grok {
		match => { "message" => "^<%{POSINT}>%{INT} %{TIMESTAMP_ISO8601} %{HOSTNAME:host}%{GREEDYDATA}$" }
    }	
	mutate {
          rename => {"synotype" => "nas.logtype"}
	  rename => {"event" => "nas.event"}
	  rename => {"isdir" => "nas.file.type"}
	  rename => {"fsize" => "nas.file.size"}
	  rename => {"fname" => "nas.file.name"}
	  rename => {"luser" => "username"}
	  add_field => { "environment" => "production" }
	  add_field => { "host.type" => "appliance" }
	  add_field => { "tier" => "storage" }
	  add_field => { "criticity" => "high" }
	  add_field => { "datacenter" => "geneva" }
    } 
  }
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.