Key:value extractor

gianluca-valentini · October 21, 2020, 2:57pm

Hi all,
I need an help. I’m using Graylog for VPN target that send me messages like this:

message: “some data that I don’t need - [userid:xxx; action:Log In; …]”
Is there some extractors that I can use to have key - value attributes?

I means: something that is able to set the internal square brackets data as key/value fields?
So that I have the original message and the additional fields extracted like:
userid - xxx
action - Lon In

and so on
Thanks

shoothub · October 22, 2020, 8:27am

Easiest way is to use pipeline rule, first extract content within [] with regex() function and than use key_value() function:

rule "KV VPN"
when
    has_field("message")
then
    let kv_extract = regex("\\[(.*?)\\]",to_string($message.message));
    let kv_value = to_string(kv_extract["0"]);
    set_fields(key_value(
            value: kv_value,
            delimiters: ";",
            kv_delimiters: ":",
            ignore_empty_values: true,
            allow_dup_keys: true, // the default
            handle_dup_keys: ","  // meaning concat, default "take_first"
    ));
end

gianluca-valentini · October 22, 2020, 10:07am

Hi @shoothub,
thanks a lot for your help and suggestions

system · November 5, 2020, 10:07am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
K=V extractor help Graylog Central (peer support) pipeline-rules	5	762	September 1, 2021
Creating a log extractor for "key: value, key: value" logs Graylog Central (peer support) pipeline-rules	5	2912	August 30, 2021
Pipeline rule to extract key-value pair not working Graylog Central (peer support) pipeline-rules	20	2488	April 23, 2022
Extracting key="some value" in pipelines Graylog Central (peer support)	4	1888	December 22, 2017
Can Someone Help me Graylog Central (peer support) pipeline-rules	5	468	July 20, 2022

Key:value extractor

Related topics