Remove drive letter from file path GROK pattern

Im trying to remove the drive letter from file paths as they are ingested through the pipeline, my input is something like

C:\folder1\folder2\file.ext
(This is just an example the file could be many more folders deep)

I want the output to just be

folder1\folder2\file.ext

Im currently using
%{GREEDYDATA:driveLetter}[:]%{GREEDYDATA:filePath}

This gives me the structure I want but by escaping the slashes it now has double the slashes between elements

folder1\\folder2\\file.ext

Any suggestions would be appreciated. Cheers

Replying to my own question, there may be a cleaner solution but using a gsub before the grok to replace the double \\ with a single / escapes the backslashing issue altogether.

"gsub": {
  "field": "input",
  "pattern": "\\\\",
  "replacement": "/"
},

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.