Skip to main content
Question

How do I map value field with appropriate name field for the following log sample?

  • March 11, 2025
  • 10 replies
  • 16 views
T

can any one help me with the following

How do I map value field with appropriate name field for the following log sample

Log sample
profileId=sss eventstype=notification eventsname=notification_triggered 0_name=notification_type 0_value=changed_event 1_name=notification_method 1_value=email 2_name=recipient_email 2_value=some@some.com 3_name=notification_message_id 3_value=<ssss> 4_name=event_id 4_value=someevent

for example in the above log,
1_name=notification_method 1_value=email needs to be mapped as follows:
 notification_method=email.
Similarly for
2_name=recipient_email 2_value=some@some.com 3_name=notification_message_id 3_value=<ssss> 4_name=event_id 4_value=someevent
should be mapped as follows

recipient_email=some@some.com
notification_message_id=<ssss>
event_id=someevent

I would appreciate any help you can offer

    10 replies

    X
    Forum|alt.badge.img
    • xpac xpac
    • Participating Frequently
    • March 11, 2025

    One possible option would be to use the Regex Extract function, take a look here:https://docs.cribl.io/stream/regex-extract-function/|https://docs.cribl.io/stream/regex-extract-function/Look especially at the trick with the NAME_0 etc capture groups

    Alternatively, parse the fields with the Parser function as KV Format, then use a Code function to match them together, that requires some Javascript fiddling

    T
    • tpeveler
    • Author
    • Employee
    • March 11, 2025

    Many thanks for the suggestion; i will try the above

    B

    I like the Regex approach. A side note... this is a use case similar to what the CEF/LEEF pack does with a code function to stitch back together the CS#/CN#/CF# fields.

    The pack turns this:cs4=103.6.32.100 cs4Label=clientIPAddressinto this:clientIPAddress=103.6.32.100

    https://github.com/criblpacks/cribl-common-event-format/blob/master/default/pipelines/cef_processor/conf.yml#L115-L125

    David Maislin

    which approach did you take?

    T
    • tpeveler
    • Author
    • Employee
    • March 11, 2025

    Many thanks team; I have now managed to map the field name to appropriate values. Thanks again

    T
    • tpeveler
    • Author
    • Employee
    • March 11, 2025

    i used the regex approach

    David Maislin

    (?<_NAME_0>[A-Za-z].+?[^=]+?)=(?<_VALUE_0>[^ ]+)

    David Maislin

    That one?

    T
    • tpeveler
    • Author
    • Employee
    • March 11, 2025

    i used a mask function instead an used regex to capture and map

    582_3ae8ce9253e14d59aca0f3b812fa483b.png
    David Maislin

    So many ways to create solutions in Cribl!

    Terms & ConditionsAccessibility statement