Pipeline whitespace issues

MAMAOUI · October 21, 2020, 3:14pm

Hi,

I have set up the following rule in a pipeline:

rule "Fortinet parsing"
when
    has_field("message")
then
    // extract all key-value from "message" and prefix it with kv_ 
    set_fields(
                fields: 
                        key_value(
                            value: to_string($message.message),
                            trim_value_chars: "\""
                            )
            );
    route_to_stream(id:"........", remove_from_default:true);
end

but when it comes to values that have whitespace they get cut off, like this:

I tried delimiter but its not working:

key_value(
value: to_string($message.message),
trim_value_chars: “”",
trim_key_chars:""", delimiters:" “,
kv_delimiters:”=") );

How can I get it to ignore the whitespace if it’s part of a value?

Thank you

shoothub · October 22, 2020, 8:51am

I think, it’s a known problem with key_value pipeline function.

Try to use extractor key=value, it should work fine also with spaces:

system · November 5, 2020, 8:51am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Running key=value tokenizer extractor from Pipelines? Graylog Central (peer support)	9	1084	September 23, 2021
Pipelines: Key_value function in conjuntion with whitespaces causes faulty values Graylog Central (peer support)	1	405	February 8, 2021
Disable automatic whitespace trimming? Graylog Central (peer support)	5	650	June 3, 2022
Key value pipeline whitespace issues Graylog Central (peer support) pipeline-rules	3	1587	June 26, 2019
Graylog pipeline keys with spaces Graylog Central (peer support) pipeline-rules , debuggingpl	6	1476	September 3, 2021

Pipeline whitespace issues

Related Topics