I’m trying to add some rules to a pipeline - I searched through the documentation, and did find information on the functions that are available for rules (https://docs.graylog.org/en/3.2/pages/pipelines/functions.html) … but, I’m still struggling to find what the field names are inside a $message. Does anyone have any pointers?
those fieldnames are unique for each installation - kind of.
When you send in structured logs the field names are created by the application that send in the data. Syslog messages have some fields that are defined for syslog, like facility, severity and application.
Because this can be seen as a key-value pair or like the table head in your sheet this can’t be named in any kind of documentation.
Thanks for the quick reply! That makes sense, no issue … but any pointers / suggestions to figure out what keys have been assigned (i.e. what names to use to access the data)?
Look at the message you’re writing the rule for, look for the field you’re interested in.
The field name shown in the message will be what you’re looking for.
Do you mean in the Graylog interface? I can definitely see fields “missing” there (like gl2_remote_ip, for example). Thinking that I could use the Elasticsearch API perhaps, calling it with the full message number … would what work? Just not sure of the syntax to use for that.
FYI, to share, help others with this later (and it may be what you’re meaning!) … if you run an Elasticsearch query, with a search of _id:(the full / actual messge UID) => the (curl / API) output will show you all the available parameters (keys).