Right now this all just appears in the ‘message’ field. I plan on using a pipeline rather than an extractor to separate out the fields (as not all incoming logs to that input will necessarily be in the same format).
Is there an easy way using pipeline rules to break the contents of the message out into separate fields?
// add some more to get this run only
// on the messages where it can run
// this will extract the key-value
// writes it to fields with a prefix
trim_value_chars: "\ ",