Regular expression Extracter

panklit · November 28, 2017, 3:14pm

Hello,

i’m trying to extract some value from my syslog message but i’m not the best friend of regular expressions.

My string looks like that:

20171128-150445 ?event=B:Connect&time=1511881485&date=20171128-150445&ref=30353f027b1d5a01dce40090333029b3&dir=out&src_if=GW1&dst_if=PRI1

And i would like to extract the values into a new field so i have a field with the title “event” and the content “B:Connect”, next one would be title “time” and content “1511881485”, … i think you get it

Hope someone can help me out.

Thanks and Regards,
Raphael

jtkarvo · November 28, 2017, 6:45pm

hi,

I would do several extractors.
First: if you do not have any more question marks after the first ?, then a split extractor that saves the second value as field “logline”. If there are more question marks later on the line, then a regex extractor like

^[1]\?(>?(.))$

Then, a replace regex extractor for the logline field that replaces all occurrences of & with a space; add a converter that saves all key=value pairs as fields.

^\? ↩︎

Topic		Replies	Views
Spliting a Syslog Output into fields Graylog Central (peer support)	4	1535	January 14, 2019
Regular expression Graylog Central (peer support)	5	1391	July 20, 2018
Key=value extractor and quotes / remove whitespaces with regex and replace Graylog Central (peer support)	7	6218	January 23, 2018
How to Split by \n in Extractors Graylog Central (peer support)	0	669	May 5, 2017
Multiple Fields extractor regex Graylog Central (peer support)	1	2692	January 5, 2018

Regular expression Extracter

Related topics