I am using graylogger to send the output of a series of ping commands, over to Graylog. I have a pipeline grab those messages (it’s easy since I can set the facility) and add fields (RTT min, max, average, stddev, hostname, and packet loss) this is all very straightforward so far.
My question comes in trying to populate those fields. I want to split (or maybe regex) out the data and just can’t get something to start working. Can someone point me in the right direction? (I had to munch up the domain names so they didn’t show up as links…I am a new user and can only have 2 links in my message:-) . )
The fields I want (based on this message) are:
Google.c
0
9.151
9.281
9.369
0.090
full_message
PING google.c (172.217.6.78) 56(84) bytes of data.
64 bytes from sfo07s17-in-f14.1e100.n (172.217.6.78): icmp_seq=1 ttl=54 time=9.15 ms
64 bytes from sfo07s17-in-f14.1e100.n (172.217.6.78): icmp_seq=2 ttl=54 time=9.36 ms
64 bytes from sfo07s17-in-f14.1e100.n (172.217.6.78): icmp_seq=3 ttl=54 time=9.24 ms
64 bytes from sfo07s17-in-f14.1e100.n (172.217.6.78): icmp_seq=4 ttl=54 time=9.36 ms
— google.c ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 9.151/9.282/9.369/0.090 ms
I have tried what I have below but, the split command is not doing the trick…there is an error there and I don’t know how to fix it. Once I get that figured out, I can fold it in and set them all up.
Thank you;
James
rule “Add Ping2Gray Fields”
when
has_field(“facility”)
then
let min = split(/,$message.full_message,5);
set_field(“rtt_min”, min);
set_field(“rtt_avg”, 0);
set_field(“rtt_max”, 0);
set_field(“rtt_mdev”, 0);
set_field(“packet_loss”, 0);
End
I don’t know for sure, but it seems the fifth field would not be rtt_min, but rtt_avg (the fourth would be “mdev = 9.151”).
Personally, I would first use a regex to narrow down stuff, something like: ([\d]*\.[\d]{3}/[\d]*\.[\d]{3}/[\d]*\.[\d]{3}/[\d]*\.[\d]{3}) (this might need a bit of optimization to be fast, though), and only split from the result.
I couldn’t get that rule to work at all, let alone what data it was going to pull. I guess I am using split wrong. The code I posted above won’t even save. lol
But thank you @jtkarvo a ton for the help! I am going to try playing with regex now to try and get what I need.
I will play with it more tomorrow but I think it looks like I just don’t know how to correctly use regex or split in the pipeline rules. If I could even get the wrong values I could keep tweaking but I can’t even get the rules to compile lol The rules quick reference makes it look so simple lol and I am sure it is…once I get to that point.
I love the power that the pipelines and their rules give us. I have lots of things I want to do but…I need to figure out how to extract part of the message first.
