Struggling to replace a string in a syslog message with sub

Hi Friends. I am taking in cef syslog messages from an application called Secret Server. The messages are not parsing correctly because some of the fields usernames have a slash in the username. The format is domain\username.

I am trying to use mutate to remove the domain\ from the username field and failing.

Is there a reason this filter wouldn't work?

filter {
  mutate { gsub => ["message","domain\\",""]
  }
}

Is there really a square bracket in the [message] field? Please format your configuration. Edit your post, select the filter {} section, and click on </> in the toolbar above the edit pane.

Apologies, it did not render correctly. I added the code symbols and the message looks correct now.

Thanks!

OK, it is an oddity of the configuration compiler that you cannot escape a backslash at the end of a string. The backslash always escapes the closing double quote. The standard workaround for this is to use a character group that evaluates to one occurrence of a backslash.

mutate { gsub => ["message","domain[\\]",""]
1 Like

Thanks Badger for your help. This had some unexpected results as well. I am going to review my side a little bit more to see if can understand what I am seeing now. Appreciate the help!!