Hello,
from the example string below, im trying tor replace the brackets and the number between these bracktes with a dot (.). I used a pipline rule for this.
example String: “(10)nexusrules(10)officeapps(4)live(3)com(0)”
I currently tried it with this code:
let updatedAddress = replace(to_string($message.originalAddress), “(\()”, “.”);
Im not familiar with regex, so hopefully anybody can help me. If you had a better idea to accomplish this task, fell free to share it with me.
best regards
Hey @Chris_1
What kind of device is this sending logs?
Hi,
the logs coming from windows dns server with filebeat agent.
i dont know if this helpful, but… the value for the field (message.originalAddress) is extracted by a input extractor with the grok pattern “%{GREEDYDATA:originalAddress}”.
i found a solution…
String to format: (7)catalog(8)gamepass(3)com(0)
String after format: catalog.gamepass.com
rule "Rule1"
when
has_field("requested_address")
then
let transformed_message = regex_replace("\\(\\d+\\)", to_string($message.requested_address), "."); //replace all numbers between the brackets and the brackets itself with a dot
let transformed_message = regex_replace("\\A.", to_string(transformed_message), ""); //remove the first sign of the string
let transformed_message = regex_replace(".{1}\\z", to_string(transformed_message), ""); //remove the last sing of the string
set_field("requested_address", transformed_message);
end
Hey,
Oh nice, beat me to it 