Split key/value string containing same field names?

I’m trying to split Windows Audit log field “winlogbeat_winlog_event_data_ObjectDN” that contains multiple key/value pairs with same names. Example:

CN=something,OU=some_group,OU=another_thing,DC=company,DC=tld

How can I extract this so it will not rewrite fields into something like:
CN=something
OU_1=some_group
OU_2=another_thing
DC_1=company
DC_2=tld

Is that even possible? Thing is, those fields are not fixed and differ between events (sometimes you have multiple CNs, sometimes multiple OUs,…)?

The key_value() function has methods in it to handle duplicate keys.

allow_dup_keys
Indicates if duplicated keys are allowed. Default value: true.

handle_dup_keys
How to handle duplicated keys (if allow_dup_keysis set). It can take the values take_first, which will only use the first value for the key;or take_last, which will only use the last value for the key. Setting this option to any other value will change the handling to concatenate, which will combine all values given to the key, separating them with the value set in this option. For example, setting handle_dup_keys: ",", would combine all values given to a key a, separating them with a comma, such as 1,2,foo. Default value: take_first.

Graylog isn’t great about iterating through a variable count set, so this is likely the best you will get. Better to take the results and process them at a later time, either subsequent pipeline stage or perhaps as a decorator in a dashboard…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.