Replace field with regex group match

irom77 · November 4, 2016, 4:04pm

Hey,

How do I replace field with regex group match , see example below.

mutate {
            gsub => [                  
              "message",",\\\"(.+)\\\",",<Group 1 here ???>
            ]
        }

My message is here, I am targetting that ,"FN WebFix.exe", :

<141>Nov 3 12:53:35 MR-DC1-PFWP02.cor.com 1,2016/11/03 12:53:35,001901000999,THREAT,file,1,2016/11/03 12:53:35,10.4.21.127,10.111.0.98,0.0.0.0,0.0.0.0,from REPVPN and SSLVPN,wm\\mo.admin,,ms-ds-smb,vsys1,app,rep,ae1.20,ae2.192,LF-elk,2016/11/03 12:53:35,33891243,1,445,53368,0,0,0x0,tcp,alert,\"FN WebFix.exe\",Microsoft PE File(52060),any,low,server-to-client,5210010,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,0,,,0,,,,,,,,0,38,0,0,0,PROD,MR-DC1-PFWP02,

magnusbaeck · November 4, 2016, 6:24pm

You could a) use a grok filter or b) use gsub twice (once to remove the leading quote and once to remove the trailing quote).