Welp, that kinda worked and did what I asked.
This functions successfully kills the original message and it’s bogus fields…
rule "TEST FGT-Direct re-parser"
when
from_input(name: "FGT special TCP Syslog 10514")
then
let msgtext = to_string($message.message);
let msgfull = to_string($message.full_message);
let msgsource = to_string($message.source);
// FIXME: Next line is Fortinet-specific.
// Generic solution: let eventtime = to_date($message.timestamp);
let eventtime = parse_unix_milliseconds(to_long($message.eventtime)/1000000);
drop_message();
let nmsg = create_message(msgtext, msgsource, eventtime);
set_field(field:"full_message", value:msgfull, message:nmsg);
// FIXME: Parsing for your logs goes here... or into the next pipeline stage
let k_v = key_value(value:msgtext, delimiters:" ", kv_delimiters:"=", trim_value_chars:"\"");
set_fields(fields:k_v, message:nmsg);
let level_int = lookup_value("SyslogLevels", nmsg.level, 0);
set_field(field:"level", value:to_long(level_int), message:nmsg);
route_to_stream(name: "ZZ Scratchpad", message: nmsg, remove_from_default: true);
end
… but it ultimately failed to do what I need,
because the key_value function in Pipelines, while more configurable than its key=value tokenizer extractor counterpart, seems unable to handle spaces in quoted fields
I guess I’ll have to ask about that in a new topic: Running key=value tokenizer extractor from Pipelines?