Reputation: 39
how to remove /r from field value in logstash grok
We have this kind of logs collected from Winlogbeat.
AlertName=Wireless Access Point Alert
AlertStatus=Active
AlertActiveID=8618424
AlertDescription=
Severity=Critical
Here “AlertName” keeps changing like Network Device Alert or SQL Database alert ect …
Here we need to create new field by name “AlertName” by referring the AlertName line in above log.
We are trying it with Kibana Dev tools – Grok Debugger as below
AlertName=%{GREEDYDATA:AlertName}
And also as below
AlertName=%{GREEDYDATA:AlertName}\s*
Its creating the field but its value contains additional text “\r” at the end of its value as below;
{ "AlertName": "Wireless Access Point Alert\r" }
We tried multiple ways but unable to remove this “\r” , can some one please help us how to remove this additional value “\r”?
Upvotes: 2
Views: 38
Answers (1)
Reputation: 627327
The \r (carriage return, CR) is matched by the GREEDYDATA pattern, as the regex . metacharacter also matches that symbol (mind the regex flavor is Oniguruma, as per Logstash grok docs).
You can use a custom pattern to get rid of that trailing CR symbol:
AlertName=(?<AlertName>[^\n\r]*)
The pattern contains an AlertName named group that will create the field and will only match zero or more chars other than LF (line feed) and CR characters.
Upvotes: 3
Related Questions
- How to remove all line breaks from a string
- How do I remove all non alphanumeric characters from a string except dash?
- Remove Field from event by pattern
- Logstash grok filter - field value duplicated
- How do I match a newline in grok/logstash?
- How to handle non-matching Logstash grok filters
- Need to shorten Grok Pattern
- Unable to extract fields form log line containing a mix of JSON and non-JSON data using grok in Logstash
- Not getting each error email alert from logstash 1.5.4