Morning all,
I am trying to extract the syslog levels from all incoming messages, I have the below configured however nothing is being inserted into the message. I have tried inserting it into the pipeline that moves all the messages into a stream and have also tried inserting it into a second pipeline that is removing messages from the same input, neither are adding the syslog information.
Could someone please tell me where I am going wrong?
Pipeline rule:
rule "Extract Syslog Level"
when
has_field("message")
then
let message = to_string($message.message);
debug(message)
let gl2_fragment_grok_results = grok(
pattern: "ExtractSyslogLevel",
value: message
);
debug(gl2_fragment_grok_results);
set_fields(gl2_fragment_grok_results);
end
Grok Pattern: (ExtractSyslogLevel)
<%{INT:syslog_pri}>%{INT:seq_num}: %{MONTH} +%{MONTHDAY} %{TIME}: %%{DATA:facility}-%{INT:log_level}-%{DATA:event_type}: %{GREEDYDATA:message}
Sample Message:
{
"BST": "2025-06-30T09:21:14.427Z",
"gl2_accounted_message_size": 199,
"gl2_receive_timestamp": "2025-06-30 08:21:14.427",
"gl2_remote_ip": "10.10.10.53",
"gl2_remote_port": 52982,
"streams": [
"68494e077bea852124af5ebf"
],
"gl2_message_id": "01JYZYT4HV018GPKMNPRXNMJQE",
"source": "10.10.10.53",
"message": "<187>1286925: Jun 30 09:21:13: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/6, changed state to down",
"gl2_source_input": "68555caf17188516f66906fd",
"gl2_processing_timestamp": "2025-06-30 08:21:14.429",
"gl2_source_node": "14982ea2-1eab-43eb-9b8b-6931d316e432",
"_id": "301987c0-558b-11f0-8318-c6119594b083",
"gl2_processing_duration_ms": 2,
"timestamp": "2025-06-30T08:21:14.427Z"
}
Debugs:
Debug message = <187>1286925: Jun 30 09:21:13: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/6, changed state to down
Debug gl2_fragment_grok_results = [Function] PIPELINE DEBUG: {}