I'm using the Logstash SNMP input, and am receiving fields like the following:
iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageAllocationUnits.1"
Is there a way I can use a filter to drop everything before hrStorage?
You can use the mutate filter with the gsub option. If the part you want to drop is always before hrStorage., you can do something like this:
mutate {
gsub => [ "message", "^(.*)(hrStorage\..*)$", "\2"]
}
It uses capturing groups, with the second group grabbing from hrStorage. to the end and the first group grabbing the rest. Then we only keep the second in the replace part of the option.
