Out of the box, Graylog is very Apache combined log friendly. A common log entry has a request URI with a URL followed by &key1=value1&key2=value2 etc.
You can’t use the usual KV splitter in an input extractor because they don’t quite follow the usual pattern of k1=v1 k2=v2 etc because those are space separated instead of & separated.
Now I’ve put my thoughts into a post it looks like I might mutate the & into a space char or something like that and then KV split.
My question was going to be should I do this in an extractor or a pipeline?
rule "Cisco KV"
when
has_field("cisco_msg")
then
set_fields(
fields:
key_value(
value: to_string(to_string($message.cisco_msg)),
delimiters:",",
kv_delimiters:":"
));
end
Then I use a couple of pipeline rules to further sort out and enrich the data. I guess I could move that into an initial pipeline rule and ditch the extractor. Project for another time, though.