Hi I have a requirement where I am sending a output of single script to graylog which have many lines of code and new line is saperated by special charater and I want to replace that special character with new line while displaying that message. Is there any way to do it?
For e.g. My message string is following
line 1;line 2;line 3;line 4 and when display that message I want to replace that “;” with new line “\n” while displaying it in Graylog. Is there a way to do it?
such is not possible with Graylog vanilla - you need to work around that.
Hi Jan,
Any suggestion from you to have any kind of work around?
only hacky solutions that I do not want to share … cause that include writing your own daemon that is working with the data before it is ingested into Graylog.
So does that mean that I have choose wrong tool for such type of requirements? Because this is really common requirement when we will talk about any log system to have that log in readable format.
Because when I also puting \n in message it doesn’ taking it into account and just treating it as string.
Also when we are passing muliline string then it is considerign it as a saperate messages for each line.
I do not know your requirements at all.
You asked how to make a specific operation - It might be that regex-replace can do this - but I’m not sure. If you just want to have that during display time, the processing pipeline can be used in a decorator.
You do not share what you have done, just mention in a half sentence what is not working for you, leaving out the details about how you ingest.
Interpret \n as new line might be useful in your specific use, but did you think that every \n should be a new line? Might it be possible that another person does not want that and ask how to disable?
Why not take all ingested as a string and make the user responsible to parse as he likes to have the message?
Regarding Multline messages - how you Graylog know if you are sending a new message line or parts or a part of the old message? Ingest multline messages as such an event and it works (read - ingest all together and not line by line).
Hi Jan,
Sorry If I haven’t explined it properly let me provide you in detail.
I have following example message as a string and I also tried using pipeline rule in following way.
The message string is output of my shell script with muliline message that I have combine with “NEWLINE” separator to send it as a single string to graylog.
This is line1 NEWLINE This is line 2 NEWLINE This is line 3
rule "process_when_message_contains_newline_text"
when
has_field("message") AND contains(to_string($message.message), "NEWLINE")
then
let temp = replace(to_string($message.message), "NEWLINE", "\n");
set_field("message", to_string(temp));
end
So “NEWLINE” is my saperator which we have replaced with actual line break while displaying message but it didn’t work.
I want to display given message in following way
This is line1
This is line 2
This is line 3
is the string NEWLINE replaced by \n? But \n is not displayed as newline?
Yes Jan,
Exactly.
Replaced work but \n isn’t displayed as newline.
Hi @Sagar,
That is to be expected. The replace function only deals with strings so, when you say you want “\n” it will give you “\n”.
You could try using the regex_replace function and make your rule similar to the below:
rule "process_when_message_contains_newline_text"
when
has_field("message") AND contains(to_string($message.message), "NEWLINE")
then
let temp = regex_replace("^.*(NEWLINE).*$", to_string($message.message), "\n", true);
set_field("message", to_string(temp));
end
I haven’t tested the above so, I have no idea if it will work and provide a newline or whether it will also just output “\n”.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.