I’m trying to extract a portion of log message using regex, then extract key value pairs from the extracted string.
However, it appears there might be no means of getting the values from a RegexMatch$RegexMatchResult object.
rule "get kv from message"
when
true
then
let kv_array = regex("SOMETEXT\\](.*?)\"",to_string($message.message));
let kv_map = key_value(to_string(kv_array[0]["0"), "," , "="); <------------like this
set_fields(kv_map)
end
I have thought of adding a set_fields(kv_array) like a temp field, then calling the field to key_value(), setting the field kv fields then deleting the temp field. But this does not seem to be the right way to do it (not to mention I’m not sure if it’ll work).
Do you have any recommendations on how to go about doing this?
