Removing annoying characters before a Json formated string

Elastic Stack Logstash
1

Hello,

I'm just a beginner in ELK, so please forgive me in advance.

Here is the kind of input I have in logstash :
E...(.@.@..b......................=...B.{"rxpk":[{"tmst":297436019,"time":"2018-11-20T10:54:01.237397Z","chan":1,"rfch":1,"freq":868.300000,"stat":1,"modu":"LORA","datr":"SF7BW125","codr":"4/5","lsnr":6.0,"rssi":-103,"size":32,"data":"QAUbASaAYAEBa0v5zRPad7A8WAjW8JnOLkg3ttCEoPU="}]}

And I would like to remove the first part before the Json, i.e "E...(.@.@..b......................=...B."
I specify that this part is kind of random, more or less characters etc.
The only pattern is that it begins with E and ends with B.

Thank you in advance for your help

JoJo

2

You could try using the gsub filter like this:

mutate {    
    gsub => [ 
		"message", "E*B", ""
    ]
}

Where "message" is the field name and "E*B" is the pattern to search for.

But ideally if possible it would be nicer to sort the input.

I haven't tried this but it should hopefully work!

3

Thank you for your reply.
Thanks to your answer, I managed to separate the two parts instead of removing one
Here is my code if it can help some people in the same case

Actually, the grok filter uses the braces as a separator and with mutate we're adding new ones at each side of the json

[...]
filter {
grok {
match => {"message" => "%{DATA:bullshit}{%{DATA:data}}" }
}
mutate {
add_field => {
"true" => "{%{data}}"
}
}
json {
source => "%{true}"
target => "rxpk"
}
}
[...]

Again, thanks for all :slight_smile:

4

Glad you got it sorted!

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.