I am collecting nginx logs in graylog. one of the log field is xff header.
Now xff header can have the unpredictable amount of ips.
Some time string is like “xff=1.1.1.1” and some time is like “xff=2.2.2.2, 1.1.1.1” and some time reaches up to 5 ips.
Now I want to parse them into different fields. Do not know how to do it.
What I want is for “xff=1.1.1.1” it should be “xff1=1.1.1.1” and for “xff=2.2.2.2, 1.1.1.1” it should be “xff1=2.2.2.2, xff2=1.1.1.1”.
Is it possible? or someone has any other idea?
jochen
(Jochen)
2
You could probably use the split() function to split the contents of the “xff” field into a list.
Can you show me a sample pipeline or extractor code for this?
jochen
(Jochen)
4
Sure:
rule "split-xff"
when
has_field("xff")
then
let xff_orig = to_string($message.xff);
let xff = split(",\\s*", xff_orig);
set_field("xff", xff);
end
system
(system)
Closed
5
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
