Skip to main content

can any one help me with the following

How do I map value field with appropriate name field for the following log sample

Log sample
profileId=sss eventstype=notification eventsname=notification_triggered 0_name=notification_type 0_value=changed_event 1_name=notification_method 1_value=email 2_name=recipient_email 2_value=some@some.com 3_name=notification_message_id 3_value=<ssss> 4_name=event_id 4_value=someevent

for example in the above log,
1_name=notification_method 1_value=email needs to be mapped as follows:
 notification_method=email.
Similarly for
2_name=recipient_email 2_value=some@some.com 3_name=notification_message_id 3_value=<ssss> 4_name=event_id 4_value=someevent
should be mapped as follows

recipient_email=some@some.com
notification_message_id=<ssss>
event_id=someevent

I would appreciate any help you can offer

One possible option would be to use the Regex Extract function, take a look here:https://docs.cribl.io/stream/regex-extract-function/|https://docs.cribl.io/stream/regex-extract-function/Look especially at the trick with the NAME_0 etc capture groups

Alternatively, parse the fields with the Parser function as KV Format, then use a Code function to match them together, that requires some Javascript fiddling

Many thanks for the suggestion; i will try the above

I like the Regex approach. A side note... this is a use case similar to what the CEF/LEEF pack does with a code function to stitch back together the CS#/CN#/CF# fields.

The pack turns this:cs4=103.6.32.100 cs4Label=clientIPAddressinto this:clientIPAddress=103.6.32.100

https://github.com/criblpacks/cribl-common-event-format/blob/master/default/pipelines/cef_processor/conf.yml#L115-L125

which approach did you take?

Many thanks team; I have now managed to map the field name to appropriate values. Thanks again

i used the regex approach

(?<_NAME_0>[A-Za-z].+?[^=]+?)=(?<_VALUE_0>[^ ]+)

That one?

i used a mask function instead an used regex to capture and map

582_3ae8ce9253e14d59aca0f3b812fa483b.png

So many ways to create solutions in Cribl!

Reply


Terms & ConditionsCookie settings