Key value pipeline whitespace issues

wazlecracker · June 7, 2019, 3:51pm

I have set up the following rule in a pipeline:

rule "Sophos key value conversion"

when 
from_input("598b455e0e5a2804df3ae95e")

then
set_fields
        (
        fields: key_value
                (
                value: to_string($message.message),
                trim_key_chars: "\"",
                trim_value_chars: "\""
                )
        );
        
end

This works great for creating fields easily, but when it comes to values that have whitespace they get cut off, like this:

How can I get it to ignore the whitespace if it’s part of a value?

tmacgbay · June 7, 2019, 5:02pm

Maybe use grok - look up some examples like:

let message_field = to_string($message.message);
let parsed_fields = grok(pattern: “%{TIMESTAMP_ISO8601:tx_timestamp}\s+%{LOGLEVEL:loglevel}\s+%{NOTSPACE:classname}%{GREEDYDATA:message}”, value: message_field);
set_fields(parsed_fields);

jan · June 12, 2019, 8:12am

I personal would be a little more specific in the rules:

key_value(value: to_string(message), 
             trim_value_chars: "\"",
             trim_key_chars:"\"", delimiters:" ", 
             kv_delimiters:"=");

that should make the trick (at least it does for me)

Topic		Replies	Views
Pipeline whitespace issues Graylog Central (peer support) pipeline-rules , route-to-streampl	2	850	November 5, 2020
Disable automatic whitespace trimming? Graylog Central (peer support)	5	953	June 3, 2022
Pipelines: Key_value function in conjuntion with whitespaces causes faulty values Graylog Central (peer support)	1	443	February 8, 2021
Graylog pipeline keys with spaces Graylog Central (peer support) pipeline-rules , debuggingpl	6	1888	September 3, 2021
Extracting key="some value" in pipelines Graylog Central (peer support)	4	1931	December 22, 2017

Key value pipeline whitespace issues

Related topics