问题
I have an IP address field from the Windows event log that contains characters like "::fffff:" in front of the IP address. I cannot change the source here, so I have to fix this in Logstash.
I must suck at googling, but I really can't find a simple way to just strip these characters from the ip-address fields in logstash.
I have tried for example
if ("" in [event_data][IpAddress]) {
mutate {
add_field => { "client-host" => "%{[event_data][IpAddress]}"}
gsub => ["client-host", ":", ""]
}
dns {
action => "replace"
reverse => [ "client-host" ]
}
}
but no luck, the colon is still there. How can I replace "::ffff:" in the string "::ffff:10.0.36.39" in Logstash?
回答1:
The add_field isn't executed until after the gsub, so you need to break it up into two mutate blocks.
mutate {
add_field => { "client-host" => "%{[event_data][IpAddress]}"}
}
mutate {
gsub => ["client-host", "::ffff:", ""]
}
The specifc order that mutate works in:
rename(event) if @rename
update(event) if @update
replace(event) if @replace
convert(event) if @convert
gsub(event) if @gsub
uppercase(event) if @uppercase
lowercase(event) if @lowercase
strip(event) if @strip
remove(event) if @remove
split(event) if @split
join(event) if @join
merge(event) if @merge
filter_matched(event)
Where filter_matched has all of the standard actions like add_field
来源:https://stackoverflow.com/questions/42092394/how-do-i-replace-a-string-in-a-field-in-logstash