mutate gsub filter does not evaluate variables #1529
Description
Hi,
I have a requirement where I need to strip some data out of the message body of the event. I thought that the mutate - gsub filter would be ideal. When using mutate - gsub the find string does not appear to evaluate %{} variables.
logtype and hostname are collected in an earlier grok pattern.
Event:
"sometype somehost.com Sun Apr 27 19:20:44 2014:"
Example:
mutate {
gsub => [ "message", "sometype somehost.com ", "" ]
}
gives message = "Sun Apr 27 19:20:44 2014:" as desired.
Where
mutate {
gsub => [ "message", "%{logtype} %{hostname} ", "" ]
}
gives the original message unaltered.
I have confirmed that the variables are being filled by using the following:
mutate {
add_field => [ "replace", "%{logtype} %{hostname} ", "" ]
}
"replace" is then equal to "sometype somehost.com " in the case of the example.