Alert processing query

(Robp1234) #1

Hi, I am using a collector to read from a logfile. All is working perfectly. The events as received into graylog look like:

eventtime: 2018-07-01T16:25:08Z, account_id: 123456, email:, ip_addr: etc

Right now this all just appears in the ‘message’ field. I plan on using a pipeline rather than an extractor to separate out the fields (as not all incoming logs to that input will necessarily be in the same format).

Is there an easy way using pipeline rules to break the contents of the message out into separate fields?

Graylog version 2.4.5



(Jan Doberstein) #2

what you have given looks like a key-value pair each seperated by , and key and value seperated by :

so following the docs ( ) you would have something like:

rule "get_key_value_out"
	// add some more to get this run only
	// on the messages where it can run
	// this will extract the key-value 
	// writes it to fields with a prefix 
                            value: to_string($message.message), 
                            trim_value_chars: "\ ",
                            delimiters: ",",
                            kv_delimiters: ":"
                prefix: "kv_"

(Robp1234) #3

That was extremely helpful, thank you. Quick follow on query - my key value separator is actually ": " (colon whitespace). The event_time fields contains colons in the data value e.g. 12:00:00.

I have tried
kv_delimiters: ": "
kv_delimiters: ":\ "

The first just ignores the whitespace, and breaks the event_time and the second seems to be an error.

Is there a way to get the kv_delimiter to be ": "?



(Jan Doberstein) #4

He Rob,

that might be a bug - from my current point of view. Do you mind opening a bug issue over at github

thank you