Graylog 4.X Not Parsing All JSON Fields with parse_json()

jandrusk · April 13, 2021, 2:27am

I’m sending Suricata logs from PFSense to Syslog-NG to Graylog. I have a Graylog Pipeline with the following rule that parses some, but not all of the embedded JSON fields:

rule “suricata_strip”
when contains(to_string($message.message), “kiera suricata”) then
let m = regex_replace(“kiera suricata: “, to_string($message.message),to_string(””) );
let json_fields = parse_json(m);
set_fields(to_map(json_fields));
end

I’m using a regex_replace to remove the leading string that Syslog-NG is adding, so it’s stripped down to pure JSON. However, when I looked at one of the messages only certain fields are parsed into new fields. Attaching two screenshots of a sample of a partially parsed message. Some messages are not parsed at all.

Any ideas?

shoothub · April 13, 2021, 7:17am

Try to use json extractor, sometimes extractor is better in parsing than pipeline rule function.

system · April 27, 2021, 7:17am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Suricata on PfSense 3 Different 'Message' fields Graylog Central (peer support) pipeline-rules	5	679	February 11, 2021
Extract Json via Pipeline Graylog Central (peer support)	6	1833	August 8, 2022
Pipeline Rule doesn't see extracted fields but only a few $message properties like $message.message and $message.level Graylog Central (peer support) pipeline-rules , debuggingpl	4	2232	November 29, 2017
Handling syslog messages that are split by the source application Graylog Central (peer support)	8	520	December 9, 2023
Issue with parsing regex expression in pipelines Graylog Central (peer support) pipeline-rules , regex-special-charac , jsonfblx	8	156	January 17, 2024

Graylog 4.X Not Parsing All JSON Fields with parse_json()

Related Topics