jrehm-mmm
commented
9 months ago As an FYI - my current solution is to include a pre-processing pipeline on the source with an anchored parse function that makes OctetFraming optional and stops before the domain if it's included.
_raw.match(/^[\d\s]*\<\d+\>1\s[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\S*\s([^\.\s]*)/)[1] || host
example capture
<14>1 2023-11-27T19:57:48+00:00 MyPanoramaHost - - - - 1,2023/11/27 19:57:47,023452361385,TRAFFIC,drop,2562,2023/11/27 19:57:39,10.11.222.82,52.1.2.3,0.0.0.0,0.0.0.0,VLAN131 Deny Rule,,,not-applicable,vsys1,CER-PHI,outside,ae1.131,,My_Panorama_Logger,2023/11/27 19:57:39,0,1,61620,443,0,0,0x0,tcp,deny,0,0,0,1,2023/11/27 19:57:36,0,any,,7207890879090424896,0x8000000000000000,United States,United States,,1,0,policy-deny,66,108,0,0,,us-fw-location-devicename,from-policy,,,0,,0,,N/A,0,0,0,0,30sdf03-32ee-1j6v-9847-1b2jlyf07,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2023-11-27T19:57:40.367+00:00,,,unknown,unknown,unknown,1,,,not-applicable,no,no,0,NonProxyTraffic,
Pipelines should support both RFC3164 and RFC5424 formats