Remove opening and closing parenthesis using gsub

ombit · October 20, 2022, 10:49am

Hi all,

I am using Logstash to change the formatting of messages before forwarding them on to a QRadar reader.

The syslogs are coming from various other servers, being collated onto one central 'master' server within one file which is being watched by Filebeat for logstash to convert and send on. This is all working now, so thank you to those that helped me.

I've now heard that this has exposed a new issue, in that some of the original hosts of the syslogs are surrounded by parenthesis and I now need to remove them.

So my message may look like:

Oct 12 08:00:00 (iamservera) message

How do I remove the parenthesis using gsub? My efforts so far are failing.

Rios · October 20, 2022, 12:21pm

mutate{ gsub => ["message", "[()]", ""] }

{
         "event" => {
        "original" => "Oct 12 08:00:00 (iamservera) message"
    },
       "message" => "Oct 12 08:00:00 iamservera message"
}

ombit · October 20, 2022, 1:01pm

Sadly, it's not removing them:

        mutate {
            gsub => ["message", "[()]", "" ]
            }

Syslog message: (unknown): Oct 20 12:55:51 (iamservera) **.**.*.**->/var/log/evtmgr_statuslog charon stat : ONLINE\n

leandrojmp · October 20, 2022, 1:04pm

Can you share your Logstash pipeline?

Rios · October 20, 2022, 1:23pm

Something is not OK. This conf is working fine. Can you test the same?

input {
  generator {
       "message" => "Syslog message: (unknown): Oct 20 12:55:51 (iamservera) **.**.*.**->/var/log/evtmgr_statuslog charon stat : ONLINE\n"
       count => 1
  }
 
} # input

filter {

 	mutate{ gsub => ["message", "[()]", ""] }
   
}

output {

    stdout {
        codec => rubydebug{ metadata => true}
    }

}

Result:

{
         "event" => {
        "original" => "Syslog message: (unknown): Oct 20 12:55:51 (iamservera) **.**.*.**->/var/log/evtmgr_statuslog charon stat : ONLINE\\n"
    },
       "message" => "Syslog message: unknown: Oct 20 12:55:51 iamservera **.**.*.**->/var/log/evtmgr_statuslog charon stat : ONLINE\\n"
}

ombit · October 21, 2022, 8:17am

Please accept my apologies, for some reason my pipeline.conf had not saved (which was masked from me due to puppet).

Your solutions have worked - so thank you so very much as always. This really is a great community group.

Rios · October 21, 2022, 9:51am

Long live the king and the Elastic team.

system · November 18, 2022, 9:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.