One type of syslog I ingest already has added a second \ to existing \ in the message.
For example:
Raw Log = user\\computer
Graylog Result = usercomputer
Whereas I want to see: user\computer
I’ve tried this rule but Graylog doesn’t seem to like dealing with \'s, I’ve tried escaping with a / (so replace(to_string($message.full_message), “\”, “/”); and that doesn’t work either.
Any ideas?
rule "Slash Replace"
when
has_field("message")
then
let message = replace(to_string($message.full_message), "\\", "\");
let message = replace(to_string($message.full_message), "\\", "\");
end
just for clarification, if you use the options available in the editor, you have the ability to choose “code” what can be done by selecting the icon at the top of the editor window:
It is the one with </> that allows you to have a code window where nothing is mangled or changed.
Surrounding code with three backticks ``` will allow for code to span multiple lines Typing:
Your first post with pipeline rule is not correct, because you use bad backslash escape and don’t rewrite field message at all. So try to use this:
rule "fix double backslash"
when
has_field("message")
then
let fix_message = replace(to_string($message.message), "\\\\", "\\");
set_field("message", fix_message);
end
Four basckslashes is neccesary, because you need to escape with backslash all backslashes, so in this case there are 2 backslashes, so you need to escape each one with one backslash, so result is 4.