Use pipelines to remove commas from events?


Dealing with Palo Alto Panorama events, which use comma delimiting for each field. Not looking to fully parse out the events, due to disk space concerns (events take up about 6x size when parsed out). Either that or if you know a way of searching within an event when it is ,data,
unable to do ,data, or “data” or “,data,”

example of event - from message field in graylog:

PANPANSERVER.sample.local  15:23:00,001801014452,TRAFFIC,start,1,2017/11/10 15:23:00,,,,,Palo-Rulename,domain\user,,ssl,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,SYSLOG-Forwarder,2017/11/10 15:23:00,32637,1,55887,443,25444,443,0x400000,tcp,allow,763,697,66,4,2017/11/10 15:23:00,0,any,0,3858443278,0x0,XX-PT0,US,0,3,1,n/a,27,16,0,0,,PANPANSERVER,from-policy


You can define your own custom log format on the sending end and select the desired fields there.

(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.