Hello,
I have been using NXLog for shipping Windows events, but I’d like to switch over to Winlogbeat. My problem is that Winlogbeat ships all event fields with a “winlogbeat_” prefix for the name. I already have many dashboards and extractors setup using the field name without the Winlogbeat prefix. Is there are way to change this behavior?
Thank you!
You could create a pipeline rule to rename the relevant message fields using the rename_field() function.
Hi jochen!
Thank you for the suggestion! I’m still pretty new to Graylog and haven’t messed around with pipelines yet. Would I need to make a rule for every individual field name or could I make a rule to remove all “winlogbeat_” prefixes?
You would need to create a rule renaming the relevant fields individually.
Hej @rob.smith
you might want to sneak into this blog article that gives you a good example for the renaming of winlogbeat fields.
Thank you both! I’ll check out pipelines and see how it goes.
