Logstash : Mutate gsub doen't change anything

Question

No matter what i change it feels like the gsub is just ignored.

"port": 5021,
"@timestamp": "2020-07-25T02:16:03.747Z",
"host": "xxx.xxx.xxx.xxx",
"@version": "1",
"message": "000 361.609\r"

This is my output, ultimately i want to remove everything after the backlash (backlash included) from the message field. Right now i'm just trying to target the r and even that doesn't work so i need help figuring out what's wrong.

filter {
  mutate{ 
    gsub => [
    "message", "[r]", ""]
  }
}

And what about `"[\\s+]"`, i.e. replace any whitespace characters? — Val, Jul 27 '20 at 04:43
just tried it and it doesn't work either. I tried replacing my zero by another number so: "message", "[0]", "1" and this works ! there must be something with the backslash .. — Marylène Beaudin, Jul 27 '20 at 12:48

score 0 · Answer 1 · answered Jul 27 '20 at 13:07

0

The /r is read directly as a spacing character so a white space and not as the text "/r" so by going with

filter {
  mutate{ 
    gsub => [
    "message", "[\s+]", ""]
  }
}

the problem is solved !

answered Jul 27 '20 at 13:07

Marylène Beaudin

137
2
9

Awesome, glad you figured it out! – Val Jul 27 '20 at 13:22

Logstash : Mutate gsub doen't change anything

1 Answers1