So i have been testing Graylog’s capabilities with parsing complex URL’s
what i’m trying to achieve is relatively simple but getting a graylog pipeline to play ball is
harder than i thought it would be.
so I have a field that is created called query which extracts all information after the ? using grok patterns in the url in the log, so for my query i have this:
so for the pipeline I was thinking along these lines but i cannot seem to get it to be happy
rule "map query to fields"
let data = parse_json(to_string($message.query));
There is no real good way to do this with regular expressions (or json parsing since it’s not json :D) but the key/value extractor may do the trick. Alternatively, change the way your application logs, if possible, to do it in full/proper json, then it’s easy enough to pull out with the json parser.