I am using pipeline processing to manipulate some log messages and recently
upgraded to the 2.2.0.beta.2 release because of some grok issues. In this
release, there is a new split function(awesome) but I am stumped about how
I can take my message and convert it into fields. The log that comes in
only has values.
The original message looks like this:
1481902779.726930|Cul6n448SJMZGrPCF6|10.10.10.200|24406|10.200.10.100|1812|
auser|(empty)|166.180.80.100|-|success
The pipeline rule looks like this:
rule "Extract bro_radius log fields"
when
has_field("message") AND
contains(value: to_string($message.application_name), search: "bro_radius"
, ignore_case: true)
then
let m = split("\\|", to_string($message.message));
set_field("atest", m);
This is what gets extracted:
["1481902779.726930","Cul6n448SJMZGrPCF6","10.10.10.200","24406",
"10.200.10.100","1812","auser","(empty)","166.180.80.100","-","success"]
I know what all the field names should be and when using the regex
extractor in the pipline, I can just do something like this:
set_field("ts", m["0"]);
set_field("uid", m["1"]);
set_field("id_orig_h", m["2"]));
set_field("id_orig_p", m["3"]);
set_field("id_resp_h", m["4"]);
set_field("id_resp_p", m["5"]);
How can I set a new field name with a value similar to how the regex
function works?
Any help would be appreciated.
Regards,
Brandon
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/83cac985-0281-4667-a95a-0d28801da6a1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
