I had a previous rule that broke out the event_description field as defined by a quoted section of the message, then broke out the portion that needed key_value() applied, cleaning up the spaces and commas. Note how the regex is non-capturing for the first two words, then once it’s done its work I am referencing indexes. Also note the commented out debug() functions so I could watch what this looked like as it went through. Not pretty and likely not efficient, but I didn’t have thousands of these coming in (small company)
let e_message = to_string($message.event_description);
let desc_parts = regex(pattern: "^(?:\\w+\\s+){2}(.*)\\.\\s+(.+)", value: e_message);
set_field("event_action", to_string(desc_parts["0"]));
let desc_lowered = replace(lowercase(to_string(desc_parts["1"]))," , ", ", "); //might have extranious comma's
let desc_cleaned = regex_replace("\\b\\s+", desc_lowered , "_"); //replace unwonted spaces
let keyed_up = key_value(desc_cleaned,
",",
":",
true,
true,
"take_last",
" ",
" "
);
//debug("$$$$---Event to be :");
//debug(to_string(keyed_up));
set_fields(keyed_up);