Removing \ from raw input log data

Merdesz · March 31, 2023, 2:44pm

I have a device sending in logs which have "" before every string caracter and I would like to remove them or rewrite them to a simple ". So this " --> " to this.

Logs:
srcintfrole="undefined" dstip=255.255.255.255 dstport=000 dstintf="interface" dstintfrole="interface" srccountry="Reserved" dstcountry="counrtyname" sessionid=2458616 proto=6 action="timeout" policyid=0 service="HTTPS"

I have tried with a logstash filter but it does not seem to work.

input {
  tcp {
    port => port_number
  }
}
filter{
  mutate {
    gsub => ["message", "\"", '"']
  }
}
output {
  elasticsearch {
    hosts => ["host_name"]
    index => "index_name"
    cacert => "cert_path"
    pipeline => "pipeline_name"
    user => "user_name"
    password => "password"
  }
}

The logs arrive into elasticsearch but without required modifications.

Any help or advice is greatly appreciated.

Márton

Badger · March 31, 2023, 6:53pm

That is a no-op. It replaces a double quote with a double quote. If you want to replace an escaped double quote with a double quote then try

 mutate { gsub => ["message", '\\"', '"'] }

Otherwise edit your post with appropriate markdown to make it clear what you want.

Merdesz · April 3, 2023, 8:17am

Thank you, this was all I needed.

system · May 1, 2023, 8:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove double quotes from grok output Logstash	9	2863	January 20, 2020
Remove all backslash from fields in logstash Logstash	1	114	June 7, 2023
Logstash delete double quotes and parsing Logstash	1	612	January 10, 2019
Remove escaped characters before inserting data Elasticsearch	2	410	July 5, 2017
Removing substring from key and result Logstash	2	419	August 20, 2019

Removing \ from raw input log data

Related topics