Remove part of message string BEFORE and AFTER config

isarib · February 22, 2020, 5:01am

Hi,

Message: /merlion/dpa2/cn133ta/j4_sryuo/j4_02_sv_ip

I am trying to find a way to remove the strings BEFORE and AFTER a defined string in a message.

In this message, the constant value is dpa2, and I want to discard anything BEFORE dpa2(inclusive), and the "cn133ta/". Only want to retain "j4_sryuo/j4_02_sv_ip".

The position of cn133ta will be of dynamic value, so it is not a constant string. Hope that makes sense.

At the moment, I have tried the gsub below:

mutate { gsub => [ "dir_path", "/[^./]+/tpa2/", "/" ] }

But I'm having trouble finding a way to discard the AFTER string, in this case "cn133ta/".

Thanks

rugenl · February 22, 2020, 3:00pm

Is it always / separated? Use dissect or grok to break it into fields, then remove_field the ones you don't want.

isarib · February 24, 2020, 1:58am

Yes, its always separated with a "/", since it is really a form of directory structure.

I have found the solution, and that is the below.

mutate { gsub => [ "dir_path", "^.*?/dpa2/[^/]+/", "" ] }

system · March 23, 2020, 1:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.