Using Regex groups in Logstash's Gsub
September 2022
Problem
Exception caught in json filter {JSON} :exception=>#<RuntimeError: Invalid FieldReference: proc.aname[2]>}
Original Slack thread
When you have proc.aname[2] and want to have proc_aname2 - you can use regex groups to automatically change all occurrences of that string:
Solution
mutate {
gsub => [ "message", "proc\.aname\[([0-9]+)\]", "proc_aname\1"]
}
Basically parenthesis () will make groups that can be later referenced by its number ( \1 for the first group, \2 for the second and so on.
Used Logshark for debugging