Hi,
I’m currently testing out graylog and i need to “grep” for a word in message field and update another field.
my code is
rule “csf add”
when
has_field(“message”) AND contains (“Firewall”, to_string($message.message))
then
set_field(“filebeat_prospector_type”, “csf”);
end
You should try to split the message by space or commas, and then get the position of the string you need.
Message: The word I need is Graylog
Index: 0 1 2 3 4 5
rule “example”
when
true
then
let m = split(" ", to_string($message.message));
set_field(“new field”, m[5]);
end
new_field = Graylog
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
