Assistance with extractors

gsmith · July 5, 2022, 2:52am

Just an fyi, My last lesson on pipelines was from here.

Vulnerability Scan Detection - #7 by tmacgbay

Something like this will work

rule "Regex multiple fields"
when
  has_field("message")
then

  let robin = regex("mode=(\\S+).*src_ip=(\\S+).*src_port=(\\S+)", to_string($message.message));

  set_field("mode",      robin["1"]);
  set_field("src_ip",    robin["2"]);
  set_field("src_port",  robin["3"]);  

end

Topic		Replies	Views
Need help with draytek log extractor Graylog Central (peer support)	1	39	December 29, 2024
Issues with attempting to pull Fields from Message Graylog Central (peer support)	3	650	May 25, 2018
Pipeline hangup Graylog Central (peer support)	4	489	August 2, 2022
After import of extractor no fields show in stream Graylog Central (peer support)	14	2094	April 24, 2018
Extractor causing input to hang Graylog Central (peer support)	8	335	June 28, 2022

Assistance with extractors

Related topics