Discuss the Elastic Stack

Replace substring and concat rest

Elastic Stack Logstash

ksremo June 18, 2020, 11:25am 1

I have DNS Logs looks like

(14)xxxxxxxxxxxx(11)keydelivery(13)mediaservices(7)windows(3)net(0)
(4)mediaservices(7)windows(3)net(0)
(3)windows.com(0)

I want to remove all (...) and replace this with a dot "."
if (..) is in front or end of the string i want to remove it.

Any clever approach without doing that in more steps like first cut the values and then build a new field out of the substrings?

Jenni June 18, 2020, 12:32pm 2

Something like this might work:

mutate {
  gsub => [
    "message", "(^\(\d*\))|(\(\d*\)$)", "",
    "message", "\(\d*\)", "."
  ]
}

1 Like

ksremo June 18, 2020, 12:52pm 3

Great help, thanks Jenni .... again

system (system) Closed July 16, 2020, 12:52pm 4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Grok query domain from DNS server log Logstash	5	1374	August 9, 2017
Removing substring from key and result Logstash	2	419	August 20, 2019
Remove part of message string in logstash config Logstash	6	8917	September 10, 2019
Replace string within a pattern in ruby Logstash	3	2407	January 28, 2018
Gsub syntax to remove all before \ Logstash	3	1964	November 6, 2017

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.