Trim field value, or remove part of the value

About

Asked 14/5, 2015 at 15:42 Answered 14/5, 2015 at 18:30

I am trying to adjust path name so that it no longer has the time stamp attached to the end. I am input many different logs so it would be impractical to write a conditional filter for every possible log. If possible I would just like to trim the last nine characters of the value.

For example "random.log-20140827" would become "random.log".

Acalia answered 14/5, 2015 at 15:42 Comment(0)

So if you know it's always going to be random.log-something --

if [path] =~ /random.log/ {
  mutate {
     replace => ["path", "random.log"]
  }
}

If you want to "fix" anything that has a date in it:

if [path] =~ /-\d\d\d\d\d\d\d\d/ {
   grok {
      match => [ "path", "^(?<pathPrefix>[^-]+)-" ]
   }
   mutate {
      replace => ["path", "%{pathPrefix}"]
      remove_field => "pathPrefix"
   }
}

Of the two, the first is going to be less compute intensive.

I haven't tested either of these, but they should work.

Apology answered 14/5, 2015 at 15:58 Comment(2)

The second one was what I needed. Thank you very much Alcanzar. – Acalia 14/5, 2015 at 17:35

On the regexp side, how about something like /-\d+$/ or /-\d{8}$/ ? – Ali 14/5, 2015 at 18:29

mutate {
    gsub => [
        "path", "-\d{8}$", ""
    ]
}

Ali answered 14/5, 2015 at 18:30 Comment(0)