So i have been testing Graylog’s capabilities with parsing complex URL’s
what i’m trying to achieve is relatively simple but getting a graylog pipeline to play ball is
harder than i thought it would be.
so I have a field that is created called query which extracts all information after the ? using grok patterns in the url in the log, so for my query i have this:
so for the pipeline I was thinking along these lines but i cannot seem to get it to be happy
rule "map query to fields" when has_field("query") then let data = parse_json(to_string($message.query)); set_fields(to_map(data)); end