I need an help. I’m using Graylog for VPN target that send me messages like this:
message: “some data that I don’t need - [userid:xxx; action:Log In; …]”
Is there some extractors that I can use to have key - value attributes?
I means: something that is able to set the internal square brackets data as key/value fields?
So that I have the original message and the additional fields extracted like:
userid - xxx
action - Lon In
and so on
Easiest way is to use pipeline rule, first extract content within
regex() function and than use
rule "KV VPN"
let kv_extract = regex("\\[(.*?)\\]",to_string($message.message));
let kv_value = to_string(kv_extract["0"]);
allow_dup_keys: true, // the default
handle_dup_keys: "," // meaning concat, default "take_first"
thanks a lot for your help and suggestions
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.