I want to extract Key=Value pair from message, for all messages but exclude certain messages that contains K=V strings that are useless. and instead of writing a condition that includes “known good” I want to write a condition that excludes the “known bad”
btw. some of those might be due to a bug
messages containing a hashstring that ends with == are extracted as a field (which I don’t want), but perhaps K=V also includes format of K==V or K== ?
Correction: string== is extracted as K:string = V:=
also, string= string is extracted as K=V
Some examples of junk I don’t want to K=V extract:
nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/somecommand --tail=10 --comma-separated-output
apache : TTY=unknown ; PWD=/usr/bin/somecommand ; USER=root ; GROUP=apache ; COMMAND=/usr/bin/perlscript.pl L3Zhci93d3cv2dpLWJpi9zZWN1mUvZhlY3V0ZUwZXJdGlvi5bA== b3BlcFaWuPWddEZNU1TcGVjaFsTmZVZJUA== L3RtcCbTWN1ml0eS5UxLU0MTEuNDgZXJyLRcCDhmTHY=
While I agree that specifying the known goods are better for just getting the useful K=Vs, but that list would get really long and hard to maintain.
I think its easier to just exclude the most useless K=Vs that shows up in Graylog.