Menu
I am trying to adjust path name so that it no longer has the time stamp attached to the end. I am input many different logs so it would be impractical to write a conditional filter for every possible log. If possible I would just like to trim the last nine characters of the value.
For example "random.log-20140827" would become "random.log".
476
mutate {
gsub => [
"path", "-\d{8}$", ""
]
}
So if you know it's always going to be random.log-something --
if [path] =~ /random.log/ {
mutate {
replace => ["path", "random.log"]
}
}
If you want to "fix" anything that has a date in it:
if [path] =~ /-\d\d\d\d\d\d\d\d/ {
grok {
match => [ "path", "^(?<pathPrefix>[^-]+)-" ]
}
mutate {
replace => ["path", "%{pathPrefix}"]
remove_field => "pathPrefix"
}
}
Of the two, the first is going to be less compute intensive.
I haven't tested either of these, but they should work.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
