Stripping characters from a field and convert to lower case

bds_Vince · July 12, 2017, 5:28pm

I am importing IIS logs from the SMTP relay service. I have successfully separated out all of the fields in logstash. One of the data fields needs to have excess characters trimmed and then converted to lower case for the report grouping to display correctly.

The field name is cs-uri-query and it contains data like this:
FROM:jstrong@domain.com+SIZE=1351
TO:distributioncenter-dallas@domain.com
+TO:progammers@domain.com
to:programmers@domain.com
+to:PROGRAMMERS@DOMAIN.COM
=fromnpr3@domain.com+SIZE=1202

I want to retrieve the email address and convert it to lower case.

I would appreciate some code to try or a link that describes the process.
TIA

Vince

bds_Vince · July 12, 2017, 5:30pm

ARGH!

The GUI stripped out the "<" character which marks the start of the email address and the "<" character that marks the end....

bds_Vince · July 24, 2017, 10:35pm

Ok, I have figured out how to parse the field with grok
grok {
match => { "CS-URI-Query" => "(?[+A-Z][:][<])%{EMAILADDRESS:themail}%{GREEDYDATA:DropMe2}"}
}

This gives me a field, the mail, with the embedded email address. Now on to the next issue....

Topic		Replies	Views
Lowercase Field Name Logstash	1	1987	February 20, 2020
Adding a copy field and set it lowercase Logstash	2	1919	April 4, 2018
Convert uppercase in lowercase Logstash	12	15173	June 22, 2017
Convert Packetbeat Field Contents to Lowercase Logstash	8	311	April 16, 2021
Mutate lowercase filter not been applied Logstash	2	706	December 20, 2019

Stripping characters from a field and convert to lower case

Related topics