Reputation: 63
Logstash: How to remove part of field value (remove url query items)
Situation:
In my logs I have a field "Url". In some cases there are one or more query items in the url.
Desired situation: I'm looking for a way to get rid of the query items in the url (to get a 'clean' url). This in order to have a better analysis in Kibana (what are the most use pages, without query items in url).
What I have done until now is to add a new field "url_nonquery" with the value of the existing "Url" field. Then I use the mutate { split => filter on this new field to split at the ? character. This will result in an array: index 0 with the 'clean' url and index 1 with the query string. But now I don't seem to find out how to delete the index 1.
Does someone has some ideas to help me further with this? Thanks.
Upvotes: 0
Views: 2785
Answers (1)
Reputation: 17155
All you need to do is a grok filter like this:
filter {
grok { match => [ "url", "%{URIPATH:url_nonquery}" ] }
}
This would work even if there isn't a ? in the URL. The split method could be troublesome if you don't have a ? in your url.
Upvotes: 0
Related Questions
- How to remove unwanted fields logstash (ELK)
- change dynamic field value in logstash
- Logstash filter remove_field for all fields except a specified list of fields
- Remove Field from event by pattern
- how to remove field in logstash output
- remove certain records in logstash
- Trim field value, or remove part of the value
- Logstash remove fields by regex
- how to extract a portion of a field and store it into another field in logstash filter?
- Logstash Filter to Extract URL from Text Field into a New Field Called URL