How do I remove single quotes from the message field using Logstash gsub filter? I've tried the syntax below, and it didn't work.
mutate {
gsub => [ "[message]", "'", "" ]
}
mutate {
gsub => [ "[message]", "\\'", "" ]
}
Example:
{ "description": "These are just random users' credentials." }
In the example above, the single quote is right after the word users. I just want to remove it, I don't need to replace it with anything else.
mutate { gsub => [ "[message]", "'", "" ] }
is the way to do it.
I was thinking the same, but I'm still getting an error.
This is the input/filter code.
input {
generator {
lines => [
'{ "description": "These are just random users' credentials." }'
]
count => 1
}
}
filter {
mutate {
gsub => [ "[message]", "'", "" ]
}
Error:
[2021-05-03T04:30:41,717][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \",\", \"]\" at line 4, column 55 (byte 92) after input {\n generator {\n lines => [\n '{ \"description\": \"These are just random users' ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:365:in `block in converge_state'"]}The ' after users is closing out the ' at the start of the line, you need to escape it.
This makes sense now. It seems it's just harder to test this with the generator. I should be all good when I'm ready to pull logs via its primary method, logs won't be wrapped with single quotes.
Thanks!
I use a generator input a lot for testing things, but sometimes it is easier to put a line in a file, set sincedb_path to /dev/null, and use --config.reload.automatic to re-read the file every time you edit the configuration.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.