Hi Friends. I am taking in cef syslog messages from an application called Secret Server. The messages are not parsing correctly because some of the fields usernames have a slash in the username. The format is domain\username.
I am trying to use mutate to remove the domain\ from the username field and failing.
Is there really a square bracket in the [message] field? Please format your configuration. Edit your post, select the filter {} section, and click on </> in the toolbar above the edit pane.
OK, it is an oddity of the configuration compiler that you cannot escape a backslash at the end of a string. The backslash always escapes the closing double quote. The standard workaround for this is to use a character group that evaluates to one occurrence of a backslash.
Thanks Badger for your help. This had some unexpected results as well. I am going to review my side a little bit more to see if can understand what I am seeing now. Appreciate the help!!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.