Add field content mapping as extractor/converter #644

kroepke · 2014-08-01T10:11:09Z

Sometimes it is useful to map field values to other representations while extracting data.
For example the redis severity is a single character, but it would be nice if it was represented just like the syslog severity.

Add a converter type that supports a hash lookup table. That table could be static, or periodically refreshed from some external source.
Be careful to make the converter code path very fast and if the converter is updatable, that should happen on a different thread, replacing the entire table without taking locks.

via a mailing list post

runningman84 · 2014-08-01T10:54:17Z

another use case are firewall logs, you get actions like:

permit
accept
Permitted
allow

these should all map to permit.

bernd · 2015-02-27T16:30:49Z

See also #302

kroepke · 2016-04-22T10:37:40Z

Some of this is now possible using the pipeline processing feature in 2.0:
https://gist.github.com/kroepke/27de3bfa2123c5b9ef091888068526cb

kroepke added the processing label Aug 1, 2014

bernd mentioned this issue Feb 27, 2015

Support translation / dictionary lookup / rewriting in extractors #302

Closed

bernd added the feature label Aug 10, 2015

florianpopp added the triaged label Dec 22, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add field content mapping as extractor/converter #644

Add field content mapping as extractor/converter #644

kroepke commented Aug 1, 2014

runningman84 commented Aug 1, 2014

bernd commented Feb 27, 2015

kroepke commented Apr 22, 2016

Add field content mapping as extractor/converter #644

Add field content mapping as extractor/converter #644

Comments

kroepke commented Aug 1, 2014

runningman84 commented Aug 1, 2014

bernd commented Feb 27, 2015

kroepke commented Apr 22, 2016