Using Regex groups in Logstash's Gsub

September 2022


Exception caught in json filter {JSON} :exception=>#<RuntimeError: Invalid FieldReference: proc.aname[2]>}

Original Slack thread

When you have proc.aname[2] and want to have proc_aname2 - you can use regex groups to automatically change all occurrences of that string:


mutate {
    gsub => [ "message", "proc\.aname\[([0-9]+)\]", "proc_aname\1"]

Basically parenthesis () will make groups that can be later referenced by its number ( \1 for the first group, \2 for the second and so on.

Used Logshark for debugging