I have a badly formatted message from a network device that I get from syslog. I’ve got a tidy little pipeline rule that gets it all formatted. But what I really want, and can’t figure out how to do is the following. Currently, without if/then logic in pipeline rules it takes a couple rules to mimic that logic. For each message, I process the whittle away at the message placing the remainder into a holding value for the next rule. So first we get the basic parts that come through common to all received messages:
when
true
then
let values = split(",", to_string($message.message), 4);
let map = {
interface: values[0],
packetid: values[1],
packettype: values[2],
};
set_field("packet_properties", map);
set_field("message", values[3]);
end
result:
{
interface: blah,
packetid: blah,
packettype: IPv4
}
ok cool. So now in the NEXT rule, I will extract “message” and continue parsing it IF packettype == IPv4. But I want the new next set of values to end up looking like this:
{
interface: blah,
packetid: blah,
packettype: IPv4,
ipv4_properties: {
TOS: xxx.
TTL: xxxx,
Flags: xxx
}
}
For the life of me I can’t get anything like set_fields or anything to do that. Can I only make flat json in Graylog?