parse_cef translate_custom_fields

[aacgood]

Hi,

Im using the parse_cef function with translate_custom_fields: true and it seems like its not remapping all my cs#Label / cs# fields.

Having a look at the source code, it appears that build_map only has a hard coded list of 22 fields it will do the translation on. (ie: it doesnt do cs7Label/cs7 onwards)

https://github.com/vectordotdev/vrl/blob/main/src/stdlib/parse_cef.rs#L15

Is this expected, or is there a way to have the code just look for cs?Label -> cs? for logs that contains a large number of custom fields and not be limited to whats in the current build_map?

[aacgood]

Anyone able to comment on this?

[pront]

Hi @aacgood, can you provide an example in the VRL playground?
Something like this using as log with a cs7Label.

[pront]

Also, yes you are correct those fields are not supported by the current CEF implementation.

Can you point me to the specification you are using for reference? If those are part of the spec, it is worth creating an issue requesting enhancement. And as always, contributions are always welcome.

[aacgood]

Thanks @pront,

Im not sure of the actual spec that the vendor used in this case for their logging, however there are a large number of cs#Label/cs# fields with the data im working with. My understanding is that CEF isnt limited to the number of these cs# fields that can be included.

Im not sure if this function can be updated to be more dynamic if the key starts with cs#Label and has as an associated cs# value that its able to be joined together like the existing fields.

Unfortunately I cant code in the language VRL is in so I wont be able to contribute a fix.

VRL Playground