How can I use pipelines to remove commas from events

karlt · November 10, 2017, 2:43pm

Dealing with Palo Alto Panorama events, which use comma delimiting for each field. Not looking to fully parse out the events, due to disk space concerns (events take up about 6x size when parsed out). Either that or if you know a way of searching within an event when it is ,data,
unable to do ,data, or “data” or “,data,”

example of event - from message field in graylog:

PANPANSERVER.sample.local  15:23:00,001801014452,TRAFFIC,start,1,2017/11/10 15:23:00,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,Palo-Rulename,domain\user,,ssl,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,SYSLOG-Forwarder,2017/11/10 15:23:00,32637,1,55887,443,25444,443,0x400000,tcp,allow,763,697,66,4,2017/11/10 15:23:00,0,any,0,3858443278,0x0,XX-PT0,US,0,3,1,n/a,27,16,0,0,,PANPANSERVER,from-policy

system · November 24, 2017, 2:44pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use pipelines to remove commas from events? Graylog Central (peer support)	2	457	December 11, 2017
Alert processing query Graylog Central (peer support)	4	735	August 1, 2018
How to ignore comma in quoted strings? Graylog Central (peer support)	3	1411	April 5, 2019
Graylog Pipeline rule Graylog Central (peer support) windows , nxlog	18	1298	September 26, 2023
Removing all comma(,) in a field Graylog Central (peer support)	3	2988	February 12, 2018

How can I use pipelines to remove commas from events

Related topics