my raw event looks like this α _raw: `*Mar 31 09:21:11 10.x.x.x* time=1680239950|hostname=D-xxxx|product=test`
I want to drop only the syslog header part (shown in Bold above) I am trying to use parse with extract and serialize. I also tried with parse (reserialize) but the full event length is going high, I need to drop header and reduce the size of full event as well... how can I do this?
Best answer by xpac xpac
You just need Mask with a proper regex
Have you tried the free Cribl Sandbox yet? All your questions will be answered there!
Thanks for the tip. Mask with regex helps a bit in reduction to good extent compare to parser and then serialize.
It just depends, using the Serialize Type you can serialize to KV, CSV, etc., and get great reductions. As long as you are happy with the outcome then that's all that matters.
Or a simpler Mask
So many ways to do things in Cribl
Or an Eval:
i have made a pipeline for checkpoint log exporter which does 25% reduction using masking and aggregation. You can find it in this Checkpoint Pack: https://github.com/jpvlsmv/cc-checkpoint-pack
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
