Replace in Logstash

Hi
I'm trying to replace some strings in field message in with Logstash

My logstash configuration:
input {
beats {
port => 5044
}
}
filter {
mutate {
gsub => ["message", "s", "X"]
}
}

output {
  elasticsearch {
    host => "localhost"
    port => "9200"
    protocol => "http"
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

in this example i tried to replace s with X, but it didn't work. Could you tell my why and how i should do it?

my filebeat input:
- type: log
enabled: true
paths:
- /var/log/out/*.log
multiline.pattern: '^['
multiline.negate: true
multiline.match: after

- type: log
  enabled: true
  paths:
    - /var/log/err/*.log
  multiline.pattern: 'R [a-zA-Z]'
  multiline.negate: true
  multiline.match: after

filebeat output:
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]

That looks correct to me.

Do you have an example log that you are trying this on?

This is the gsub that I use on one of my log sets:

filter {
  mutate {
    gsub => ['message', '\r', '']
    strip => ['message']
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.