Remove drive letter from file path GROK pattern

Im trying to remove the drive letter from file paths as they are ingested through the pipeline, my input is something like

(This is just an example the file could be many more folders deep)

I want the output to just be


Im currently using

This gives me the structure I want but by escaping the slashes it now has double the slashes between elements


Any suggestions would be appreciated. Cheers

Replying to my own question, there may be a cleaner solution but using a gsub before the grok to replace the double \\ with a single / escapes the backslashing issue altogether.

"gsub": {
  "field": "input",
  "pattern": "\\\\",
  "replacement": "/"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.