How can I drop part of a syslog header?

saurabh.gupta

my raw event looks like this α    _raw: `*Mar 31 09:21:11 10.x.x.x* time=1680239950|hostname=D-xxxx|product=test`

I want to drop only the syslog header part (shown in Bold above) I am trying to use parse with extract and serialize. I also tried with parse (reserialize) but the full event length is going high, I need to drop header and reduce the size of full event as well... how can I do this?

xpac xpac

You just need Mask with a proper regex

xpac xpac

You just need Mask with a proper regex

David Maislin

Have you tried the free Cribl Sandbox yet? All your questions will be answered there!

https://sandbox.cribl.io

saurabh.gupta

Thanks for the tip. Mask with regex helps a bit in reduction to good extent compare to parser and then serialize.

David Maislin

It just depends, using the Serialize Type you can serialize to KV, CSV, etc., and get great reductions. As long as you are happy with the outcome then that's all that matters.

David Maislin

Or a simpler Mask

saurabh.gupta

thank you so much.

David Maislin

Or an Eval:

David Maislin

So many ways to do things in Cribl

saurabh.gupta

here is mine, long regex but works.

saurabh.gupta

i have made a pipeline for checkpoint log exporter which does 25% reduction using masking and aggregation. You can find it in this Checkpoint Pack: https://github.com/jpvlsmv/cc-checkpoint-pack