I get a lot of search results for key=value problems when the value contains spaces, but our thing is the opposite:
we would like to extract key=value pairs from syslog messages like:
<158>1 2020-10-01T10:02:06.722989+02:00 server daemon 572 - [timeQuality tzKnown=“1” isSynced=“0”] Oct 01 10:02:06 daemon : 220.127.116.11 "POST /url/ActiveSync?User=username&DeviceId=H2QDT76P3PNAGKO&DeviceType=iPad&Cmd=Sync
Of course the tzKnown etc are extracted, but items like “User=username” and “DeviceType=iPad” are not extracted, I guess because there are not ‘ended’ by spaces, but are API urls, delimited by &
How can we make extract key=value work, also for those URL-like lines?
Graylog can expand syslog structured data (
tzKnown, isSynced) automatically, it’s not necessary to create KV extcrator for it. Edit Input and check
Expand structured data? (Expand structured data elements by prefixing attributes with their SD-ID?)
To KV of values in URL:
- Create extractor (GROK/regex), to extract only URL parameters in field e.g
- Use pipeline rule which extract URL parameters, separated by &
rule "activesync url"
allow_dup_keys: true, // the default
handle_dup_keys: "," // meaning concat, default "take_first"
I enabled `expand structured data’ for the input (syslog UDP) in question, and removed the key=value extractor, but since that fields like tzKnown are no longer extracted…
Will need to take a closer look at stage two of your reply, with the pipeline rule etc. That’s new for me
Thanks for the reply!
It should be extracted as fields: timeQuality_isSynced, timeQuality_syncAccuracy, timeQuality_tzKnown
Ah I missed that! Yes they are. Apologies!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.