Variable in gsub


Multiline concat my device logs but does not remove unusefull informations.

<134>Mar 03 11:39:57 SHK-NSW-CORE CLI(67) Data: USERCMD: <gmenage> <> [no ip interface lololol] <ERROR: No such interfa<134>Mar 03 11:39:57 SHK-NSW-CORE CLI(67) Data: [Count.]ce - lololol.>

I tryed to use GSUB to clean my multiline output:
gsub=>[ "message","%{ALE_MULTILINE_BASE}", "" ]

ALE_BASE <%{POSINT:syslog_pri}>%{ALE_TIMESTAMP:@timestamp}%{SPACE}%{SYSLOGHOST:hostname}%{SPACE}%{SYSLOGPROG:message_program}\(%{DATA:message_thread_id}\)%{SPACE}Data:%{SPACE}

But it looks like gsub does not accept %{ALE_MULTILINE_BASE} as a variable.

Do you have an idea?

/opt/logstash/bin/logstash --version
logstash 2.1.1

Thank you in advance.


The mutate filter's gsub option doesn't support grok patterns.

1 Like


Ok, thank you for the answer.