spliting 2 types of events from single syslog stream based on event data fields
Hi community, I've a requirement of spliting 2 types of events from single syslog stream based on event data fields like "appname=='CEF'". I tried the following filter in data routes and was hoping it will work: __inputId.startsWith('syslog:in_syslog:') && appname=='CEF' But unfortunately it's not working. I already went through the Cribl documentation(https://sandbox.cribl.io/coursedocs/expressions/docs/filters) but I'm not sure where exactly the filter condition fails to filter the events.
Answers
-
Hi Manish, does the event contain a field appname=CEF already as a field or is it within the _raw field? If the latter one you will need to either split the field out in a preprocessing pipeline or use another filter condition like _raw.includes('CEF') Could you share an anomized sample event here?
0 -
Hi Oliver, This seems to be fixed now. Actually I didn't notice that the syslog stream was consumed completely in a prior data route which was set as final. So there was no data forwarded to the subsequent data route.
0 -
0 -
glad you found the problem.
0
