Regular expression Extracter

panklit · November 28, 2017, 3:14pm

Hello,

i’m trying to extract some value from my syslog message but i’m not the best friend of regular expressions.

My string looks like that:

20171128-150445 ?event=B:Connect&time=1511881485&date=20171128-150445&ref=30353f027b1d5a01dce40090333029b3&dir=out&src_if=GW1&dst_if=PRI1

And i would like to extract the values into a new field so i have a field with the title “event” and the content “B:Connect”, next one would be title “time” and content “1511881485”, … i think you get it

Hope someone can help me out.

Thanks and Regards,
Raphael

jtkarvo · November 28, 2017, 6:45pm

hi,

I would do several extractors.
First: if you do not have any more question marks after the first ?, then a split extractor that saves the second value as field “logline”. If there are more question marks later on the line, then a regex extractor like

^[1]\?(>?(.))$

Then, a replace regex extractor for the logline field that replaces all occurrences of & with a space; add a converter that saves all key=value pairs as fields.

^\? ↩︎

system · December 12, 2017, 6:45pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extractor help needed Graylog Central (peer support)	2	814	March 15, 2021
Regex extractor bug? Graylog Central (peer support)	2	709	November 14, 2019
Help wirh Regular expression Extractor Graylog Central (peer support)	4	1208	March 29, 2021
Extracting XML fields Graylog Central (peer support) sidecar , nxlog , winlogbeat , multi-linenx	8	5899	April 7, 2017
Problems with regular expression extractor for json (prior to json extractor) Graylog Central (peer support)	2	898	December 5, 2022

Regular expression Extracter

Related topics