Remove part of message string BEFORE and AFTER config

isarib · February 22, 2020, 5:01am

Hi,

Message: /merlion/dpa2/cn133ta/j4_sryuo/j4_02_sv_ip

I am trying to find a way to remove the strings BEFORE and AFTER a defined string in a message.

In this message, the constant value is dpa2, and I want to discard anything BEFORE dpa2(inclusive), and the "cn133ta/". Only want to retain "j4_sryuo/j4_02_sv_ip".

The position of cn133ta will be of dynamic value, so it is not a constant string. Hope that makes sense.

At the moment, I have tried the gsub below:

mutate { gsub => [ "dir_path", "/[^./]+/tpa2/", "/" ] }

But I'm having trouble finding a way to discard the AFTER string, in this case "cn133ta/".

Thanks

rugenl · February 22, 2020, 3:00pm

Is it always / separated? Use dissect or grok to break it into fields, then remove_field the ones you don't want.

isarib · February 24, 2020, 1:58am

Yes, its always separated with a "/", since it is really a form of directory structure.

I have found the solution, and that is the below.

mutate { gsub => [ "dir_path", "^.*?/dpa2/[^/]+/", "" ] }

system · March 23, 2020, 1:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove part of message string in logstash config Logstash	6	8917	September 10, 2019
Remove part of message string Logstash	7	19260	December 21, 2016
Removing specific text from a log mesg Logstash	5	3288	July 12, 2017
Logstash - how to remove strings within a field (whose content itself a raw string)? Logstash	4	1107	November 10, 2021
Strip part of message Logstash Logstash	1	423	November 15, 2019

Remove part of message string BEFORE and AFTER config

Related topics