Hello friends,
This subject was addressed at the end of the last topic I created. But to avoid mixing topics, I closed the previous one as resolved. And indeed it was.
I would like to thank again the members of this community who, most of the time, provide me with solutions to problems. Or at least the “stone path”.
Then,
I did a lot of research before writing here!
Summarizing everything at once. I would like to prefix all fields from a given source.
See, it seems to me that this function was requested in 2020 by @jalogisch.
Would there be any way for me to prefix all the fields at once?
Renaming (rename_field) all the fields will make me create a giant, error-prone pipiline. Since there may be “fields” in the future that I am unaware of at the moment.
This pipeline function below even accomplishes the feat I would like. However, in this case, for each “prefixed” field there will also be a “non-prefixed” field respectively.
Reason is: Graylog also does its automatic “parse” of syslog.
Because the log record in this case is within the rigor of the RFC that regulates the syslog format.
rule "fortOS set prefix"
when
has_field("message")
then
set_fields(
fields:
key_value(
value: to_string($message)
trim_value_chars: "\"",
trim_key_chars:"",
delimiters:" ",
kv_delimiters:"="
),
prefix: "fgos_"
);
end
And if I try to adopt the solution of creating another pipeline to remove the fields that do not have the prefix. In this case, my CPU/RAM resources will run out quickly.
Not to mention it’s a pretty big maneuver. Therefore, there may be a “function” to do this job of prefixing all the fields at once.
Every help is welcome. Grateful!