It might be useful to allow using explode for pipeline processing. I am currently sending in a stream of log data that is separated using a pipe character(not that it matters, it could be anything, like \t or ,). The sample message contents look like this.
The solution I have been working on requires writing some pretty hefty regexes, which probably aren't as performant as they could be.
let m = regex("^([\\d\\.]+).?([\\d\\w]+).?([\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}).?([\\d]+).?([\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}).?([\\d]+).?([a-zA-Z-]+).?([\\d\\.-]+).?([\\w\\d\\._-]+).?([\\d-]).?([\\w\\d\\._-]+).?([\\d-]{1,5}).?([\\w\\d]{1,10}).?([\\d-]).?([A-Z]{5,10}).?([TF]).?([TF]).?([TF]).?([TF]).?([\\d-]).?([\\w\\d\\._:,-]+).?([\\d\\.:,-]+).?([TF])\\R?", to_string($message.message));
I was thinking that having a function to explode based on a separator would be wonderful if it could act in a similar manor like.
let m = explode("|", to_string($message.message));
It may be that I can accomplish what I'm doing using an alternative method, which is okay too.
It might be useful to allow using explode for pipeline processing. I am currently sending in a stream of log data that is separated using a pipe character(not that it matters, it could be anything, like \t or ,). The sample message contents look like this.
1480800834.454168|CIiI9gffyuLe4FKV2|10.10.10.10|59977|8.8.8.8|53|udp|16796|sample.host.domain.tld|1|C_INTERNET|28|AAAA|0|NOERROR|F|F|T|T|0|2606:2800:220:235b:2d0:24b1:17e2:22a5|3599.000000|F
The solution I have been working on requires writing some pretty hefty regexes, which probably aren't as performant as they could be.
let m = regex("^([\\d\\.]+).?([\\d\\w]+).?([\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}).?([\\d]+).?([\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}).?([\\d]+).?([a-zA-Z-]+).?([\\d\\.-]+).?([\\w\\d\\._-]+).?([\\d-]).?([\\w\\d\\._-]+).?([\\d-]{1,5}).?([\\w\\d]{1,10}).?([\\d-]).?([A-Z]{5,10}).?([TF]).?([TF]).?([TF]).?([TF]).?([\\d-]).?([\\w\\d\\._:,-]+).?([\\d\\.:,-]+).?([TF])\\R?", to_string($message.message));
I was thinking that having a function to explode based on a separator would be wonderful if it could act in a similar manor like.
let m = explode("|", to_string($message.message));
It may be that I can accomplish what I'm doing using an alternative method, which is okay too.
Graylog Version: 2.2.1
Regards, Brandon