It seems that Graylog is heading away from Extractors and toward Pipelines. I had installed an apache extractor set from the Marketplace but it’s “extracting” every message, and not just apache messages. Given the documentation available to me i could not figure out how to limit the extractor to “facility:local6” in the existing extractors. I have a Stream already that does that. So my question is what is the preferred way going forward to do this? There is no Content Pack for apache. I see there are many for nginx. And if I search Marketplace for pipeline I get 1 hit. That hardly sounds like moving toward pipelines to me?
You can use extractors for one fields, so you can’t do it with it.
Extractors working on inputs, you can’t assigne it with streams.
I don’t think you need it. Write your own.
Also for the not working extractors. You need to find out where is the problem. I thing it’s only an other format of logs. Grab your extractor, delete the half of it, and try to find where is the difference. Or write a new one. Maybe all of it takes 10 minutes.