We are using the Custom UDP Integration within Fleet. When it collects logs, it throws all the log data into a message field. I'm not very familiar with ingest pipelines and whether or not Grok or Json would be the best way to extract certain fields.
For example, below is one sample message but I not sure how I can split it out via the pipeline.
<174>Jan 24 19:52:56 INFO uvm[0]: {"entitled":true,"CClientAddr":"192.168.X.X","sessionId":XXXXXX,"SClientAddr":"192.168.X.X","CClientPort":33986,"timeStamp":"2022-01-25 02:52:56.312","protocol":17,"clientIntf":0,"hostname":"192.168.X.X","CServerPort":53,"policyId":0,"SClientPort":33986,"protocolName":"UDP","bypassed":true,"SServerPort":53,"CServerAddr":"1.1.1.1","localAddr":"192.168.X.X","class":"class com.untangle.uvm.app.SessionEvent","SServerAddr":"1.1.1.1","serverIntf":0,"remoteAddr":"1.1.1.1"}
For example, how would I pull out the CClientAddr
field into client.address
?