Use operator with gsub

sam1975 · September 1, 2023, 10:18am

Hello,
I need to change a logstash pipeline which use gsub but i've doubt of the syntax
Instead of this
mutate {gsub => [
"status", "(?i)added", "plugged"
]}
mutate {gsub => [
"status", "(?i)installed", "plugged"
]}

I would like something like this

mutate {gsub => [

  "status", (added|installed|present|has been restored|inserted|Good|closed|plugged|1|found|connected|inserted|ok),"plugged"
]}

But it fails and i think something is missing in my syntax.
Your lights would be helpful
Regards

Badger · September 1, 2023, 11:59am

What fails?

sam1975 · September 1, 2023, 12:49pm

the pipeline crash and the syntax doesn't seem to be good

Badger · September 1, 2023, 12:55pm

What error messages do you get? What does your complete pipeline configuration look like?

sam1975 · September 1, 2023, 2:00pm

I copy an extract of the pipeline

[START] Map the status value of message to MD syslog return value.

# We transform the status into "PLUGGED" or "UNPLUGGED"
mutate {gsub => [
  "status", "(?i)added", "plugged"
]}
mutate {gsub => [
  "status", "(?i)installed", "plugged"
]}
mutate {gsub => [
  "status", "(?i)present", "plugged"
]}
mutate {gsub => [
  "status", "(?i)has been restored", "plugged"
]}
mutate {gsub => [
  "status", "(?i)removed", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)lost", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)inserted", "plugged"
]}
mutate {gsub => [
  "status", "(?i)not correctly functioning", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)no longer present", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)Good", "plugged"
]}
mutate {gsub => [
  "status", "(?i)Failure", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)closed", "plugged"
]}
mutate {gsub => [
  "status", "(?i)unlocked and opened", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)0", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)1", "plugged"
]}
mutate {gsub => [
  "status", "(?i)found", "plugged"
]}
mutate {gsub => [
  "status", "(?i)Disconnected", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)disconnect", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)connected", "plugged"
]}
mutate {gsub => [
  "status", "(?i)inserted", "plugged"
]}
mutate {gsub => [
  "status", "(?i)detected", "unplugged"
]}
mutate {gsub => [
  "status", "(?i)ok", "plugged"
]}

mutate {
  add_field => {
    "syslog_md_text" => "%{physical_location_id}%{physical_location_id_A}%{space}%{physical_location_id_B}|%{vendor_id}|%{dev_id}|%{status}"
  }
}
## [END] Formattage syslog_md_text

}
}

The problem is that i want to reduce the number of mutate and when i do this
mutate {gsub => [
"status", (added|installed|present|has been restored|inserted|Good|closed|plugged|1|found|connected|inserted|ok),"plugged"
]}
the pipeline stop

Badger · September 1, 2023, 2:14pm

Do you have double quotes around the regexp?

sam1975 · September 1, 2023, 2:22pm

no, i don't have

Badger · September 1, 2023, 3:17pm

Then add double quotes.

system · September 29, 2023, 3:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.