Hi,
I'm trying to put postfix logs to elasticsearch.
I'm stuck with parsing the pri-tag - in fact, I want to remove it from the message.
Here's a line from logs being sent:
<22>Aug 21 18:34:14 mailserver postfix/qmgr[1842]: 37C0E2D1C: removed
I want to remove that number <22>
I've found this thread Remove part of message string but even when adding a gsub like
mutate {
gsub => ["message", "<22>", ""]
}
it doesn't work.
Any help is appreciated
Regards
Daniel
With a simple configuration like
input { generator { count => 1 lines => [ '<22>Aug 21 18:34:14 mailserver postfix/qmgr[1842]: 37C0E2D1C: removed' ] } }
filter {
mutate { gsub => ["message", "<22>", ""] }
}
output { stdout { codec => rubydebug { metadata => false } } }
It most certainly does work
"message" => "Aug 21 18:34:14 mailserver postfix/qmgr[1842]: 37C0E2D1C: removed",
Although I would recommend
mutate { gsub => ["message", "^<\d+>", ""] }thanks a lot for your swift reply.
I do not understand why your mutate statement works while mine didn't.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.