Key:value extractor

Hi all,
I need an help. I’m using Graylog for VPN target that send me messages like this:

message: “some data that I don’t need - [userid:xxx; action:Log In; …]”
Is there some extractors that I can use to have key - value attributes?

I means: something that is able to set the internal square brackets data as key/value fields?
So that I have the original message and the additional fields extracted like:
userid - xxx
action - Lon In

and so on

Easiest way is to use pipeline rule, first extract content within [] with regex() function and than use key_value() function:

rule "KV VPN"
    let kv_extract = regex("\\[(.*?)\\]",to_string($message.message));
    let kv_value = to_string(kv_extract["0"]);
            value: kv_value,
            delimiters: ";",
            kv_delimiters: ":",
            ignore_empty_values: true,
            allow_dup_keys: true, // the default
            handle_dup_keys: ","  // meaning concat, default "take_first"

Hi @shoothub,
thanks a lot for your help and suggestions

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.