I have defined property as of level fields as string but in graylog level field has numeric value.
Please have look of below details…
<logger name="com.siemens.energy.td.changeevent.server.persistence">
<level value="DEBUG" />
</logger>
but in graylog field parse value is numeric like equivalent to syslog code for debug.
Please have look of below screenshot…
Please let me know why level field does not have sting value.
-Arif
how did you ingest the message from your local instance to Graylog?
Would a decorator work for you? Means the number is saved but on display that is translated to the name?
I am sending this logs by gelf.
I have placed the gelf jar file in our applications and configured log4j.xml and that is where i have defined all the levels as well.
I did not use the decorater as it was not providing the searching field.
I had used the pipeline that is converting the loglevels to syslog string like informational.
Background:
I had added the field Severity to all logs in graylog.
This severity has diffrent-2 values for same loglevel like
Severity: INFO
Severity: Informational
I do not want this. What i want is this Severity must have one value that is Severity: INFO through out all the logs.
I do not want this.
use the power of the processing pipeline - check for the value you do not want and correct that the value you like …
I am trying to craete the pipeline…
rule "Severity Mapper"
when
has_field("level")
then
let mapping = { 0: "FATAL (0)", 1: "Alert (1)", 2: "SEVERE (2)", 3: "ERROR (3)", 4: "WARNING (4)", 5: "Notice (5)", 6: "INFO (6)", 7: "DEBUG (7)"};
set_field("Severity", mapping[to_string($message.level)]);
end
but it is giving an error
mismatched input '0' expecting {'}' , identifier
Please let me know what is syntax error here.
what function did you try to use in your rule? Can you show that to me in the docs please.
function which i am using “syslog_level” is mapping to loglevel 6 to “informational” but i want to map loglevel 6 to “INFO” that is why i am trying to do re-mapping.
I am not sure what function i can use here.
Actually for gelf-java logs “syslog_level” mapper works perfectly fine.
The problem is for glassfish server logs which i am sending with the help of filebeat.
Please find the format below…
[2019-07-08T13:18:35.440+0200] [Payara 4.1] [INFO] [NCLS-JMX-00005] [javax.enterprise.system.jmx] [tid: _ThreadID=46 _ThreadName=Thread-12] [timeMillis: 1562584715440] [levelValue: 800] [[
JMXStartupService has started JMXConnector on JMXService URL service:jmx:rmi://ip-10-142-244-132.eu-central-1.compute.internal:28386/jndi/rmi://ip-10-142-244-132.eu-central-1.compute.internal:28386/jmxrmi]]
I have applied the “LOGLEVEL” grok pattern as extractor. so on Glassfish server logs “Severity having a value INFO”
Glassfish application Logs by gelf-java “Severity: Informational”
Glassfish Server logs by filebeat “Severity: INFO”
Same goes to other loglevels.
I want only one value of Severity through out the logs respective to there loglevels.
I tried to create my log mapper above but it seems no function is available for that.
Please provide some direction.
you simple tried something in Define fields in log4j.xml that is not possible in the rule language. You need to use a way that works and not something you imagine that could work.
Yes - That is i am looking for help like what options i can try.
is it possible the change the value of the fields like INFO to informational or vice versa?
-Arif
yes, but you need one rule for each state. You can’t define a ‘case’ array or similar.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.