Graylog Forwarder

aaronsachs · September 15, 2021, 3:44pm

Try this:

rule "Parsing key/value pairs"
when
    true
then
    set_fields
        (
        fields: key_value
            (
            value: to_string($message.message),
            trim_key_chars: "",
            trim_value_chars:"\"",
            delimiters: " ",
            kv_delimiters: "="
            )
        );
end

This should work if you’re sending the logs to a RAW input

Topic		Replies	Views
Using extractors on forwarder inputs Graylog Central (peer support)	3	173	November 13, 2023
Parsing Logs On Graylog Graylog Central (peer support)	8	8629	November 17, 2017
Extractor doesn't appears in field Graylog Central (peer support)	2	1050	June 6, 2019
Applying any extractor to an input makes it stop working Graylog Central (peer support)	3	663	August 17, 2020
Can't manage particular type of log (Extractof don't works) Graylog Central (peer support)	6	905	May 1, 2018

Graylog Forwarder

Related topics