Key value pipeline whitespace issues

wazlecracker · June 7, 2019, 3:51pm

I have set up the following rule in a pipeline:

rule "Sophos key value conversion"

when 
from_input("598b455e0e5a2804df3ae95e")

then
set_fields
        (
        fields: key_value
                (
                value: to_string($message.message),
                trim_key_chars: "\"",
                trim_value_chars: "\""
                )
        );
        
end

This works great for creating fields easily, but when it comes to values that have whitespace they get cut off, like this:

How can I get it to ignore the whitespace if it’s part of a value?

tmacgbay · June 7, 2019, 5:02pm

Maybe use grok - look up some examples like:

let message_field = to_string($message.message);
let parsed_fields = grok(pattern: “%{TIMESTAMP_ISO8601:tx_timestamp}\s+%{LOGLEVEL:loglevel}\s+%{NOTSPACE:classname}%{GREEDYDATA:message}”, value: message_field);
set_fields(parsed_fields);

jan · June 12, 2019, 8:12am

I personal would be a little more specific in the rules:

key_value(value: to_string(message), 
             trim_value_chars: "\"",
             trim_key_chars:"\"", delimiters:" ", 
             kv_delimiters:"=");

that should make the trick (at least it does for me)

system · June 26, 2019, 8:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline whitespace issues Graylog Central (peer support) pipeline-rules , route-to-streampl	2	821	November 5, 2020
Graylog pipeline keys with spaces Graylog Central (peer support) pipeline-rules , debuggingpl	6	1708	September 3, 2021
Running key=value tokenizer extractor from Pipelines? Graylog Central (peer support)	9	1188	September 23, 2021
Disable automatic whitespace trimming? Graylog Central (peer support)	5	791	June 3, 2022
Extracting key="some value" in pipelines Graylog Central (peer support)	4	1881	December 22, 2017

Key value pipeline whitespace issues

Related topics