Cutting one message in a unknown number of new messages in the Pipe

Hello community,

I’m just trying to figure out how to get it right and someone might have an idea.

We get logs that look like this from a web application firewall:

Header (Information to the Attack like a unique ID etc)
Message: xxx
Message: yyy
Message: zzz
Apache-ERROR: xxx
Apache-ERROR: yyy
Apache-ERROR: zzz
End (Timestamps, Stopwatch, etc)

Message xxx and Apache-ERROR xxx belong together
The number of messages about Apache-errors can vary in number, from 1 to n.

Now i want to split them in their own messages like this:

Header (Information to the Attack like a unique ID etc)
Message: xxx
Apache-ERROR: xxx
End (Timestamps, Stopwatch, etc)

Header (Information to the Attack like a unique ID etc)
Message: yyy
Apache-ERROR: yyy
End (Timestamps, Stopwatch, etc)

and so on.
I know i can do it with the “create_message” funktion in the pipeline.
And cut it with the regex and regex_replace.

Best would be somthing like a loop or so, but that is not possible in Graylog.

Does anyone has an idea?
Regards
Tobias

No one any idea?
I really miss sometimes an counter in the regular expression and a if

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.