Doing a pipeline rule

I am weak at doing a pipeline + regex rule. Would need help with the following.

I have this message coming in:

Dec 28 11:47:20 graylog01 filebeat[48973]: 2023-12-28T11:47:20.874+0800#011INFO#011[input.harvester]#011log/harvester.go:310#011Harvester started for paths: [/var/log/*]#011{“input_id”: “4bc7f922-ab75-4db4-bfe2-54f2f8acb5e7”, “source”: “/var/log/dmesg.1.gz”, “state_id”: “native::594-64768”, “finished”: false, “os_id”: “594-64768”, “old_source”: “/var/log/dmesg.1.gz”, “old_finished”: true, “old_os_id”: “594-64768”, “harvester_id”: “ef0c3cee-a7b0-45e2-b185-c75976d750c2”}

But I would like to do a pipeline rule to make it nicer in looking, for example like the following format:

source:
state_id:
finished:
os_id:
old_source:
old_finished:
old_os_id:
harvester_id:

Can you share how you are shipping these logs to graylog? Are you using filebeat? The message you provided appears to be a syslog message generated from filebeat.

The following blog post should be a good resource for getting started:

Hey,

I was trying different collector to send to different type of input.
So for this example, I have configure the filebeat.yml and path it to /var/lib/*.log. So it will send any file that will end with .log.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.