I’m trying to parse nftables logs from my OpenWRT router. logfmt does a great job already but I’m banging my head at this issue:
The logs can either be [time.stamp] reject wan in: IN=br-wan OUT= ...
or [time.stamp] banIP/inp-wan/drop/backscattererv4: IN=br-wan OUT= ...
In the former case, I would ideally like to get action=“reject”, table=“wan in”, in the latter action=“drop”, table=“inp-wan”, blocklist=“backscattererv4”
For the moment, I’m using | pattern ' [<stamp>] <action>:' which gives me the whole block in the action label but that’s not ideal at least for the further processing where I would like to show a piechart for hits by blocklist in my dashboard.
Is there a way to get the separated labels as I want them or at least can I split this banIP/… content by “/” so that I can get a count by blocklist?
I think easiest approach might be to have two different queries, and you can differentiate by checking whether there is a slash in “action” or now. For example:
Thank you! I have been thinking about that but I was afraid it would be to costly to run two queries. It’s probably the best to ignore the action/table/blocklist in general analysis whenever possible then.
