Hi Friends. I am taking in cef syslog messages from an application called Secret Server. The messages are not parsing correctly because some of the fields usernames have a slash in the username. The format is domain\username.
I am trying to use mutate to remove the domain\ from the username field and failing.
Is there a reason this filter wouldn't work?
filter {
mutate { gsub => ["message","domain\\",""]
}
}
Is there really a square bracket in the [message] field? Please format your configuration. Edit your post, select the filter {} section, and click on </> in the toolbar above the edit pane.
Apologies, it did not render correctly. I added the code symbols and the message looks correct now.
Thanks!
OK, it is an oddity of the configuration compiler that you cannot escape a backslash at the end of a string. The backslash always escapes the closing double quote. The standard workaround for this is to use a character group that evaluates to one occurrence of a backslash.
mutate { gsub => ["message","domain[\\]",""]
Thanks Badger for your help. This had some unexpected results as well. I am going to review my side a little bit more to see if can understand what I am seeing now. Appreciate the help!!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.