Extract colon-separated key-value pairs

Hello,
I am trying to extract colon-separated key-value pairs, but the result is not as expected.

Raw message :
<38>Apr 07 10:28:05 ISCSI-YYYXXXX qlogd[6421]: conn log: Users: fake_user, Source IP: 123.456.789.12, Computer name: —, Connection type: HTTP, Accessed resources: Administration, Action: Login OK

Rule:
rule “key_value_parser”
when
contains(to_string($message.message), “ISCSI-NASCNET1”)
then
set_fields(
fields:
key_value(
value: to_string($message.message),
delimiters:",",
kv_delimiters:":"
)
);

end

The result is that only one field is created, and it is the field Action with value Logout.
Any suggestion?
Thanks,
Emanuele.

I don’t think, that KV is a right tool. I would suggest to use grok patterns like this:

  • conn log:
    Users: %{DATA:NAS_user}, Source IP: %{IP:NAS_IP}, Computer name: %{DATA:NAS_id}, Connection type: %{DATA:NAS_connection}, Accessed resources: %{DATA:NAS_resource}, Action: %{GREEDYDATA:NAS_action}

  • event log:
    Users: %{DATA:NAS_user}, Source IP: %{IP:NAS_IP}, Computer name: %{DATA:NAS_id}, Content: %{GREEDYDATA:NAS_action}
    Users: %{DATA:NAS_user}, Source IP: %{IP:NAS_IP}, Computer name: %{DATA:NAS_id}, Application: %{DATA:NAS_application}, Category: %{DATA:NAS_category}, Content: %{GREEDYDATA:NAS_action}

Instead of pipeline rule, you can use grok extractors as well.

1 Like

Many thanks @shoothub , at the moment I have found another solution to my problem and I do not need the extraction anymore, but I have really appreciated your answer. Maybe I will use it in the future. Thanks,
Emanuele.