Hello Graylog community,
I have a simple question today: Can pipelines do what “key=value” tokenizer extractor does?
I know the pipelines have the key_value() function, but while it is more configurable than its key=value tokenizer extractor counterpart, there seems to be no way to handle spaces in quoted fields properly
What am I missing? (Sorry for such broad question) ?
As an exercise I’ve switched a test copy of my input from key=value tokenizer extractor to key_value() pipeline function, details can be found at RAW Input with “Length-prefixed framing” - #6 by nisow95612
These are the results of that exercise (identifying information masked):
- 1st line is result of that exercise - dstcountry=“Czech Republic” was not parsed correctly,
- 2nd line is what Syslog TCP does by default - worked OK, because there was no embedded “=”,
- 3rd line is parsed by key=value tokenizer extractor - worked perfectly. Unfortunately this works only on logs forwarded by FMGR, as explained at RAW Input with “Length-prefixed framing”.
I believe the Graylog servers are fully up to date, so 4.1.