Key value pipeline whitespace issues

I have set up the following rule in a pipeline:

rule "Sophos key value conversion"

when 
from_input("598b455e0e5a2804df3ae95e")

then
set_fields
        (
        fields: key_value
                (
                value: to_string($message.message),
                trim_key_chars: "\"",
                trim_value_chars: "\""
                )
        );
        
end

This works great for creating fields easily, but when it comes to values that have whitespace they get cut off, like this:

How can I get it to ignore the whitespace if it’s part of a value?

Maybe use grok - look up some examples like:

let message_field = to_string($message.message);
let parsed_fields = grok(pattern: “%{TIMESTAMP_ISO8601:tx_timestamp}\s+%{LOGLEVEL:loglevel}\s+%{NOTSPACE:classname}%{GREEDYDATA:message}”, value: message_field);
set_fields(parsed_fields);

I personal would be a little more specific in the rules:

key_value(value: to_string(message), 
             trim_value_chars: "\"",
             trim_key_chars:"\"", delimiters:" ", 
             kv_delimiters:"=");

that should make the trick (at least it does for me)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.