Remove part of message string in logstash config

rohitg · August 12, 2019, 7:53pm

Hi,

I have a string like - 123RGT78.XY.ABD.COM
I need only 123RGT78 from this string and want to remove everything coming after the first dot (.)
How to achieve this.

filter {
mutate {
gsub => ["message", "]
}
}

Badger · August 12, 2019, 8:57pm

mutate { gsub => [ "someField", "\..*", "" ] }

rohitg · August 13, 2019, 10:04pm

Hi Badger,

I tried this but it is only removing (dot) and giving result 123RGT78XYABDCOM.
My need is to remove everything after (dot).

Badger · August 13, 2019, 10:24pm

The mutate I posted will remove the first dot in the string and everything after it.

rohitg · August 13, 2019, 10:44pm

Not sure why it didn't work before. But now its working. Thanks Badger.

One more ask. How to remove everything after (-)
ex: 01234 - ABS HO SDRGE WETX

There is space before and after (-)

I tried this but it removing only (-)
mutate { gsub => [ "someField", "-*", "" ] }

Badger · August 13, 2019, 11:19pm

In a mutate like

mutate { gsub => [ "someField", "\..*", "" ] }

the second string "..*" is a regexp. That particular one says a literal dot, followed by zero or more characters (dot matches any character, which is why the literal dot has to be escaped).

If you want to remove the space, dash, space, and everything after it then use

mutate { gsub => [ "message", " - .*", "" ] }

If you want to remove just the dash and everything after it (but not the space before it) then remove the leading space in the regexp. The pattern you tried, "-*", means zero or more occurrences of dash.

You appear to think that * matches a string of characters, like it does in a UNIX filename wildcard. That is not true in most regexps. Instead it modifies whatever comes before it, to say "zero or more of".

Ruby regexps are similar-ish to perl regexps, which are similar, but more functional than ed regexps, which are not similar to /bin/sh regexps, which are very different to /bin/csh regexps. There are many other regexp dialects.

In logstash itself you are always dealing with Ruby regexps (although you could be using plugins that interact with external systems that use other types of regexps). It is possible, if you are using a jdbc input, and an http filter for enrichment, you might use three different types of regular expression in a single configuration, but that really would be unusual. For help with any particular dialect just Google "ruby regular expression" or "oracle sql regular expression" or "perl regular expression" and you will find sites that can guide you.

system · September 10, 2019, 11:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.