Set_fields Usage?

tmacgbay · January 24, 2022, 5:31am

Looks like Graylog needs us to be more specific on the set_fields() Here is an example I found in another forum post that @shoothub put up:

rule "Cisco FirePower priority parsing"
when
  contains(to_string($message.message), "%FTD", true)
then
  set_fields(grok(pattern: "<%{NONNEGINT:syslog_pri:int}>", value: to_string($message.message), only_named_captures: true)); 
  let priority = expand_syslog_priority(to_long($message.syslog_pri));
  set_fields({facility: priority.facility, level: priority.level });
end

(If this is the answer, please mark it as so for future searchers!)

Topic		Replies	Views
Pipeline - set_fields Graylog Central (peer support)	5	1204	August 22, 2018
Pipeline rule to set facility and log level categories Graylog Central (peer support) pipeline-rules	9	2712	September 23, 2021
Documentation, Fields in $message Graylog Central (peer support)	6	2805	June 2, 2020
Pipelines key value Graylog Central (peer support) pipeline-rules , debuggingpl	6	765	September 16, 2020
Problem with pipeline rule Graylog Central (peer support) pipeline-rules	1	375	September 9, 2020

Set_fields Usage?

Related Topics