I’m trying to generate fields based on a syslog message where a portion of it is comma delimited. I setup the column headers but when the messages pass through the extractor the only field that I see is the “breakout” field. Below is the code for the extractor.
{
"extractors": [
{
"title": "Flow Extractor",
"extractor_type": "copy_input",
"converters": [
{
"type": "csv",
"config": {
"column_header": "time,src_ip,src_port,dst_ip,dst_port,protocol_pkts_sent,pkts_recvd,bytes_sent,bytes_recvd,dst_interface,path_id,app_name,flow_event,zbfw_rule"
}
}
],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "Flow",
"extractor_config": {},
"condition_type": "regex",
"condition_value": "cgxFlowLog"
},
{
"title": "csv",
"extractor_type": "copy_input",
"converters": [
{
"type": "csv",
"config": {
"column_header": "time,src_ip,src_port,dst_ip,dst_port,protocol_pkts_sent,pkts_recvd,bytes_sent,bytes_recvd,dst_interface,path_id,app_name,flow_event,zbfw_rule"
}
}
],
"order": 0,
"cursor_strategy": "copy",
"source_field": "Flow",
"target_field": "breakout",
"extractor_config": {},
"condition_type": "none",
"condition_value": ""
}
],
"version": "3.2.5"
}
Here is an example of a message
I may be misunderstanding the CSV converter but I would have thought that the column headers would now be displayed as fields in my message.
Thank you in advance to anybody who can point me in the right direction.