Remove backslash "\\s" about in Logstash

khergner · April 5, 2019, 4:57am

Hi,
There is json data so I want to parse use but ı need \" remove in json line. How can ı remove **\"**quate? I know using gsub but ı can't.

Exampler data;

{  
   "dateTime":"\"2019-03-27T00:59:15\"",
   "scStatus":200,
   "scBytes":503052,
   "timeTaken":45,
   "csCookie":"\"-\"",
   "csIp":"4.36.202.18",
   "csMethod":"\"GET\"",
   "csReferer":"\"-\"",
   "csUseragent":"\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36\""
}

I use filter

filter {
	if [type] == "akamai"{
		grok {
			match => {
				"message" => "%{NOTSPACE:dateTime}%{SPACE}%{IP:csIp}%{SPACE}%{NOTSPACE:csMethod}%{SPACE}%{NOTSPACE:csUrl}%{SPACE}%{NUMBER:scStatus:int}%{SPACE}%{NUMBER:scBytes:int}%{SPACE}%{NUMBER:timeTaken:int}%{SPACE}%{NOTSPACE:csReferer}%{SPACE}%{QS:csUseragent}%{SPACE}%{NOTSPACE:csCookie}"
			}
		remove_field => ["message"]
		}
				mutate {
		gsub => {
				["csIp", "\\", ""]
			}
		}
	}
}

EXPECTED RESULT

{  
   "dateTime":"2019-03-27T00:59:15",
   "scStatus":200,
   "scBytes":503052,
   "timeTaken":45,
   "csCookie":"-",
   "csIp":"4.36.202.18",
   "csMethod":"GET",
   "csReferer":"-",
   "csUseragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
}

Badger · April 5, 2019, 12:43pm

mutate { gsub => [ "csMethod", '"', '' ] }

system · May 3, 2019, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.