elisi84
(Emanuele)
April 7, 2021, 10:39am
1
Hello,
I am trying to extract colon-separated key-value pairs, but the result is not as expected.
Raw message :
<38>Apr 07 10:28:05 ISCSI-YYYXXXX qlogd[6421]: conn log: Users: fake_user, Source IP: 123.456.789.12, Computer name: —, Connection type: HTTP, Accessed resources: Administration, Action: Login OK
Rule:
rule “key_value_parser”
when
contains(to_string($message.message), “ISCSI-NASCNET1”)
then
set_fields(
fields:
key_value(
value: to_string($message.message),
delimiters:",",
kv_delimiters:":"
)
);
end
The result is that only one field is created, and it is the field Action with value Logout.
Any suggestion?
Thanks,
Emanuele.
shoothub
(Shoothub)
April 7, 2021, 2:05pm
2
I don’t think, that KV is a right tool. I would suggest to use grok patterns like this:
conn log:
Users: %{DATA:NAS_user}, Source IP: %{IP:NAS_IP}, Computer name: %{DATA:NAS_id}, Connection type: %{DATA:NAS_connection}, Accessed resources: %{DATA:NAS_resource}, Action: %{GREEDYDATA:NAS_action}
event log:
Users: %{DATA:NAS_user}, Source IP: %{IP:NAS_IP}, Computer name: %{DATA:NAS_id}, Content: %{GREEDYDATA:NAS_action}
Users: %{DATA:NAS_user}, Source IP: %{IP:NAS_IP}, Computer name: %{DATA:NAS_id}, Application: %{DATA:NAS_application}, Category: %{DATA:NAS_category}, Content: %{GREEDYDATA:NAS_action}
Instead of pipeline rule, you can use grok extractors as well.
1 Like
elisi84
(Emanuele)
April 8, 2021, 9:16am
3
Many thanks @shoothub , at the moment I have found another solution to my problem and I do not need the extraction anymore, but I have really appreciated your answer. Maybe I will use it in the future. Thanks,
Emanuele.
system
(system)
Closed
April 22, 2021, 9:17am
4
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.