Graylog extractor for comma separated key value pairs


I think I'm just not understanding or missing a core concept of graylog and its extractors. I just want to take my key value pairs that are comma delimited and break them out into respective fields.

Sample Log Message

2016-01-22 18:04:05,639 – host_info_log – INFO – '

Note: keys are not always in the exact same location, most of the time cpu_count is first, but not always.

Best Answer

The key (ha!) is to add a converter for Key=Value pairs to fields.

Using both CSV and Key=Value converters doesn't do what you want however, neither know about the other delimiter. Key=Value assumes whitespace. So one solution is to use a Replace with regular expression extractor to make comma into space, and add Key=Value at the end (remember to hit the Add button).

Add a string condition for performance reasons and to avoid incorrect extractions.

Final result looks something like this:

  "extractors": [
      "condition_type": "string",
      "condition_value": "host_info_log",
      "converters": [
          "type": "numeric",
          "config": {}
          "type": "tokenizer",
          "config": {}
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex": ",",
        "replacement": " ",
        "replace_all": true
      "extractor_type": "regex_replace",
      "order": 0,
      "source_field": "message",
      "target_field": "host_info_log",
      "title": "serverfault"
  "version": "1.3.3 (0fda9dc)"