Hi, splitting a message into multiple messages according to the pattern you've mentioned is kind of hard.
I would (still) recommend changing the generation of the GELF messages at the source and send one GELF message for each infected/found file. If you tell us, how you generate the GELF messages and how the source for those looks like, we might be able to give you some advice how and what to change. Cheers, Jochen On Tuesday, 23 August 2016 21:01:41 UTC+2, ravedog wrote: > > Hi, > > Just installed graylog server to handle my logging needs. However, I > bumped into an issue id be grateful for some help with. > > So i'm creating GELF messages and sending them to the graylog server. > The GELFS are containing variables, but expanded they could look like this > inside the GELF: > > ... > "_clamav_infected":"1", > "_clamav_infected_files":"/path/to/files: name-of-virus FOUND", > ... > > So the field called "_clamav_infected_files" above will constantly contain > the same three field pattern. > > - /path/to/file = Always unix format, beginning with "/" and ending > with ":". > - name-of-virus = will in all cases i have seen be worded together > without any space, using "." or "-" instead (example Very-Nasty.Virus-XZY) > - FOUND = Static word. > > > This is working great and exactly as I wanted. However, I have bumped in > to issues when several of these patterns are in the same field. > Say for example that two viruses has been found, in that case the above > example will look like this: > > ... > "_clamav_infected":"1", > "_clamav_infected_files":"/path/to/file1: name-of-virus1 FOUND > /path/to/file2: name-of-virus2 FOUND", > ... > > I know this is sub-par as far as filling out a field goes, but I wonder if > there is any way I can match this and get this sorted from inside graylog? > So that every pattern starting with "/" ending with "FOUND" would get a > new field by an extractor, regardless if there is 1 pattern like this, or > 10. > > Any suggestions on if this is possible? > > Talked to the guys at graylog Feenode IRC today and they pointed me > towards changing the source incoming, but i'm curious to see if there is > any other way than that. > I also got a suggestion as to use grok for this, i was succeeding in > sorting the first pattern in to separate fields (so "path" into a new field > and "virus name" into a new field) but never the the full pattern as one > field and never more than the first instance of the pattern. > > Thanks in advance! > > /R > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/8e7b9a74-8db7-4c80-bb64-9b7447a7d3c3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
