We have this kind of logs collected from Winlogbeat.
AlertName=Wireless Access Point Alert
AlertStatus=Active
AlertActiveID=8618424
AlertDescription=
Severity=Critical
Here “AlertName” keeps changing like Network Device Alert or SQL Database alert ect …
Here we need to create new field by name “AlertName” by referring the AlertName line in above log.
We are trying it with Kibana Dev tools – Grok Debugger as below
AlertName=%{GREEDYDATA:AlertName}
And also as below
AlertName=%{GREEDYDATA:AlertName}\s*
Its creating the field but its value contains additional text “\r” at the end of its value as below;
{ "AlertName": "Wireless Access Point Alert\r" }
We tried multiple ways but unable to remove this “\r” , can some one please help us how to remove this additional value “\r”?
The \r (carriage return, CR) is matched by the GREEDYDATA pattern, as the regex . metacharacter also matches that symbol (mind the regex flavor is Oniguruma, as per Logstash grok docs).
You can use a custom pattern to get rid of that trailing CR symbol:
AlertName=(?<AlertName>[^\n\r]*)
The pattern contains an AlertName named group that will create the field and will only match zero or more chars other than LF (line feed) and CR characters.