Hi everyone,
is it possible to drop the default message field?
We extract all values with json extractor but the cut is not working for the message field.
Also the drop message in the pipeline is not working for me.
rule "delete message field"
when
has_field("mesage")
then
set_field("test", $message.message);
remove_field("message");
remove_field("test");
end
The remove of the field test is working, but not from the field message.
The “message” field is special because Graylog expects messages to have that field (as well as “timestamp”, “source”, and some internal fields prefixed with “gl2_”). As a result, it’s not possible to remove the “message” field or replace it with an empty string.
We might change that in the far future, but don’t hold your breath.
