How do I map value field with appropriate name field for the following log sample?
can any one help me with the following
How do I map value field with appropriate name field for the following log sample
Log sample
profileId=sss eventstype=notification eventsname=notification_triggered 0_name=notification_type 0_value=changed_event 1_name=notification_method 1_value=email 2_name=recipient_email 2_value=some@some.com 3_name=notification_message_id 3_value=<ssss> 4_name=event_id 4_value=someevent
for example in the above log,
1_name=notification_method 1_value=email needs to be mapped as follows:
notification_method=email.
Similarly for
2_name=recipient_email 2_value=some@some.com 3_name=notification_message_id 3_value=<ssss> 4_name=event_id 4_value=someevent
should be mapped as follows
recipient_email=some@some.com
notification_message_id=<ssss>
event_id=someevent
I would appreciate any help you can offer
Answers
-
One possible option would be to use the Regex Extract function, take a look here:https://docs.cribl.io/stream/regex-extract-function/|https://docs.cribl.io/stream/regex-extract-function/Look especially at the trick with the NAME_0 etc capture groups
Alternatively, parse the fields with the Parser function as KV Format, then use a Code function to match them together, that requires some Javascript fiddling
0 -
Many thanks for the suggestion; i will try the above
0 -
I like the Regex approach. A side note... this is a use case similar to what the CEF/LEEF pack does with a code function to stitch back together the
CS#/CN#/CF#fields.The pack turns this: cs4=103.6.32.100 cs4Label=clientIPAddress into this: clientIPAddress=103.6.32.100
0 -
which approach did you take?
0 -
Many thanks team; I have now managed to map the field name to appropriate values. Thanks again
0 -
(?<_NAME_0>[A-Za-z].+?[^=]+?)=(?<_VALUE_0>[^ ]+)0 -
i used the regex approach
0 -
That one?
0 -
So many ways to create solutions in Cribl!
0 -
i used a mask function instead an used regex to capture and map
0
