Removes ::ffff: from ip address field

Thibaut603 · February 1, 2019, 9:59am

Hello,

i want to remove ::ffff: from ip address field (like this)

so in logstash i've made this

# Removes ::ffff from IP address
filter {
  if "winlogbeat" in [tags] {
  mutate {
    gsub => ["[event_data][IpAddress]", "::ffff:", ""]
         }
                            }
        }

but that does not work, any ideas ?

Thx for help

Thibaut,

pjanzen · February 1, 2019, 10:03am

I think you need to change:

[event_data][IpAddress]

To this:

%{[event_data][IpAddress]}

Thibaut603 · February 1, 2019, 11:46am

i've changed and it's really strange sometimes i've ::ffff: and somitimes not

February 1st 2019, 12:42:33.724 ::ffff:10.100.25.108

February 1st 2019, 12:42:33.471 10.100.247.131

i think the filter doen't removes ::ffff; and certain event don't have this ffff.

it's possible ?

pjanzen · February 1, 2019, 1:09pm

The addresses with ::ffff: are mapped ipv6 addresses.

have read here

system · March 1, 2019, 1:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to strip IPv6 Address From Field Beats winlogbeat	2	683	April 13, 2018
How to remove IP-address from elasticsearch submission after geoip parses it? Logstash	3	1369	July 20, 2017
Logstash mutate filter Logstash	9	1811	July 6, 2017
How to remove a field Logstash	2	428	July 6, 2017
Safely remove tcp input plugin's "host" and "port" fields Logstash	4	585	May 5, 2021

Removes ::ffff: from ip address field

Related topics