[graylog2] Re: Set a new field name knowing just a value

Fri, 16 Dec 2016 08:33:22 -0800 

Never mind I'm dumb.
This works just fine. The double quotes " were the problem.
  set_field("ts", m[0]);
  set_field("uid", m[1]);
  set_field("id_orig_h", m[2]);
  set_field("id_orig_p", m[3]);
  set_field("id_resp_h", m[4]);
  set_field("id_resp_p", m[5]);


On Friday, December 16, 2016 at 10:02:23 AM UTC-6, BKeep wrote:
>
> I am using pipeline processing to manipulate some log messages and 
> recently upgraded to the 2.2.0.beta.2 release because of some grok issues. 
> In this release, there is a new split function(awesome) but I am stumped 
> about how I can take my message and convert it into fields. The log that 
> comes in only has values. 
>
> The original message looks like this:
> 1481902779.726930|Cul6n448SJMZGrPCF6|10.10.10.200|24406|10.200.10.100|1812
> |auser|(empty)|166.180.80.100|-|success
>
> The pipeline rule looks like this:
> rule "Extract bro_radius log fields"
> when
>   has_field("message") AND
>   contains(value: to_string($message.application_name), search: 
> "bro_radius", ignore_case: true)
> then
>   let m = split("\\|", to_string($message.message));
>   
>   set_field("atest", m);
>
> This is what gets extracted:
> ["1481902779.726930","Cul6n448SJMZGrPCF6","10.10.10.200","24406",
> "10.200.10.100","1812","auser","(empty)","166.180.80.100","-","success"]
>
> I know what all the field names should be and when using the regex 
> extractor in the pipline, I can just do something like this:
>   set_field("ts", m["0"]);
>   set_field("uid", m["1"]);
>   set_field("id_orig_h", m["2"]));
>   set_field("id_orig_p", m["3"]);
>   set_field("id_resp_h", m["4"]);
>   set_field("id_resp_p", m["5"]);
>
> How can I set a new field name with a value similar to how the regex 
> function works? 
> Any help would be appreciated.
>
> Regards,
> Brandon
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6dd8bd50-df6e-4360-ac96-e5111bb34a91%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to