Custom field, how to break down per word rather than the full string

Hugo · May 8, 2017, 4:09pm

Hi, is there a way to reproduce the behavior of the message field in a custom field?
I.e. Break down per word rather than limited to full string?

My use case is the following:
I have a custom field named “loggerName” which contains string values such as “java.util.concurrent”, “com.hibernate.stats”, “org.apache.commmons”, etc.

I created an extractor (Replace with regular expression) to replace dots to whitespaces.
However when I chose “quick value” it shows a break down per “full string”.

Actual result:
“java.util.concurrent”
“com.hibernate.stats”
“org.apache.commons”

Expected result:
java
util
concurent
com
hibernate
stats
org
apache
commons

Thank you.

jan · May 9, 2017, 7:27am

Hej Hugo,

did you like to have them separated into different fields? Then you should use Extractors/Pipeline for that.

If you like to have this analyzed than you need to create a custom Elasticsearch Mapping http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html#custom-index-mappings

Topic		Replies	Views
Custom fields are searchable? Graylog Central (peer support)	4	2670	April 14, 2017
Regex Search in message / Chars like ", ==, <=, etc / Problem Graylog Central (peer support)	5	808	October 14, 2019
Searching Custom JSON Fields Graylog Central (peer support)	3	4951	February 14, 2018
Grok Extractor - Remove data from field Graylog Central (peer support)	3	1074	August 13, 2020
JsonExtractor stranbe behavior with '.' as key separator Graylog Central (peer support)	7	433	September 22, 2021

Custom field, how to break down per word rather than the full string

Related Topics