1. Describe your incident:
Hi
Recent changes to how O365 inputs are processed has meant we need to do some adjusting in pipelines.
I have this field:
vendor_event_description
which contains data in this format:
Office 365 log event: SharePoint: [app@sharepoint] : [255.255.255.255] FileDownloaded
I want to drop everything before the second ] i.e. set vendor_event_description to FileDownloaded
I wrote this pipeline rule:
rule “parse_vendor_event_descriptiod”
when
has_field(“vendor_event_description”)
then
let vendor_desc = regex(“^.?\].?\](.*)”, (to_string($message.vendor_event_description)));
set_field (“vendor_event_description”, vendor_desc);
end
This results in this error:
[359]: index [graylog_14], id [c72431d1-ca70-11ee-b9fe-0a9969dcbab1], message [OpenSearchException[OpenSearch exception [type=mapper_parsing_exception, reason=failed to parse field [vendor_event_description] of type [keyword] in document with id ‘c72431d1-ca70-11ee-b9fe-0a9969dcbab1’. Preview of field’s value: ‘{0= Update Succeeded}’]]; nested: OpenSearchException[OpenSearch exception [type=illegal_state_exception, reason=Can’t get text on a START_OBJECT at 1:8707]];]
I think the regex is right - I’ve tested in elsewhere. Presumably I need to process vendor_event_description in some different from to_string? Or have I got something else wrong??
Advice appreciated!
Thanks
Rob
2. Describe your environment:
-
OS Information:
-
Package Version:
5.2.4, using Opensearch