1. Describe your incident:
Hi, all!
I’m trying to parse message using the split function, setting a pipe (|) as delimiter. But the function is spliting the message on the “-” character too.
2. Describe your environment:
- OS Information: Ubuntu 22.04
- Package Version: Graylog 4.3.8+8c4705e
3. What steps have you already taken to try and solve the problem?
I’m trying to configure a pipeline to parse syslog messages from a storage audit logs. Once the parse was not working, I created a rule just to debug the message and figure out what’s wrong.
There is as example of the syslog messages received:
S-1-5-21-2614985949-316108637-4164631079-11292|1000217|DataAZ0|3|10.12.241.109|SMB|CLOSE|SUCCESS|FILE|0:0|0:0|4775020572|/ifs/cluster0/DataAZ0/FILESERVER/PAE/Manufacturing Control.xls
The rule code is:
rule "debug"
when
true
then
debug( to_string(split("|", to_string($message.message))[0]) );
end
And the output in the server.log is like:
2024-06-21T13:38:20.652-03:00 INFO [Function] PIPELINE DEBUG: S
2024-06-21T13:38:20.652-03:00 INFO [Function] PIPELINE DEBUG: S
2024-06-21T13:38:20.704-03:00 INFO [Function] PIPELINE DEBUG: S
2024-06-21T13:38:20.704-03:00 INFO [Function] PIPELINE DEBUG: S
2024-06-21T13:38:20.704-03:00 INFO [Function] PIPELINE DEBUG: S
2024-06-21T13:38:20.704-03:00 INFO [Function] PIPELINE DEBUG: S
2024-06-21T13:38:20.916-03:00 INFO [Function] PIPELINE DEBUG: S
4. How can the community help?
As you can see, the function is spliting in the “-” character. What I am doing wrong?