1. Describe your incident:
I’m attempting to use a pipeline rule to extract additional fields from the http_uri_query field from MS Exchange ActiveSync IIS logs. The http_uri_query field contains a string like
There are multiple key/value pairs in the format
Key:Value_, where _ is the delimiter between pairs.
2. Describe your environment:
OS Information: Ubuntu 20.04
Package Version: 4.3.9
3. What steps have you already taken to try and solve the problem?
It’s easy enough to use
key_value() function to extract them, but I’m trying to take it one step further and convert the key (read: field name) portion to lowercase:
I’m aware that I can’t do this using the
key_value() function, so I’m trying to use
let renamed_fields = regex_replace("((?:|[^:_])*):", to_string($message.http_uri_query), lowercase("$1:"));
This pattern matches, but unfortunately the
lowercase() function doesn’t work, and the net result is that renamed_fields is the same as $message.http_uri_query.
4. How can the community help?
Can this be accomplished without having to use
rename_field()? This challenge isn’t just limited to setting field names (although I’m open to solving it in the context of field names); it appears to be a limitation of the
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]