Filter messages by field position delimited by whitespasce? (like: cut -d" " -f...)

igittigitt · December 4, 2024, 7:26am

Hi, i have some services which sends whole messages into Graylog and they are not parsed (yet) but have a defined layout so the first parts could be split by whitespace. Is there a way to write a query which acts only on a specific field of that message.

2024-12-04 08:20:30,813 - INFO  - eventfilter.EventFilter - [d09cf8a8-4ba7-4585-b54d-90082df6c262] - Content item filtered out (id: 36383035, content-type: 'picture')

Here i’d like to get the 4th (severity), 6th (type) and 10th onwards into a search query.

gsmith · December 5, 2024, 4:19am

Hey @igittigitt

I assume you want parts of the message and place them under a custom field? you could try a pipeline /w regex.

system · December 19, 2024, 4:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Notification mesage filter Graylog Central (peer support)	8	700	December 23, 2019
Basic contain from message field Graylog Central (peer support)	2	391	October 1, 2019
Regex in Search Field Graylog Central (peer support)	6	1420	September 20, 2018
Extractor help needed Graylog Central (peer support)	2	817	March 15, 2021
Regex Search in message / Chars like ", ==, <=, etc / Problem Graylog Central (peer support)	5	1016	October 14, 2019

Filter messages by field position delimited by whitespasce? (like: cut -d" " -f...)

Related topics