Hi all, I need to create an extractor copying “gl2_remote_ip” to another field. In the “add extractor” GUI I see no means to select gl2_remote_ip as the source field. My workaround was to create an extractor for another field, export it, modify the source field in “gl2_remote_ip” and reimporting it.
Is this procedure correct? Can I do the same without resorting to extract/import? More generally, can “gl2_*” fields be visible in the “add extractor” page (I know they are hidden by default)?
Full disclosure: I need to overwrite the “source” field of specific syslog messages with the correct hostname. Due to increased load on the DNS, I would like to avoid rDNS lookup; at the same time, I am trying to avoid to create a dedicate input (whose “source” can be overwritten in the input configuration).
I create as CSV table with key/value as gl2_remote_ip/hostname and, via a lookup extractor, I used this table to replace “source” with the correct hostname value.
All seems working now; is there anything I should be aware of?
Thanks.
I personal would use the processing pipelines for that - because you can use the gl2_remote_ip field as lookup source against the dns lookup table (or whatever you use) and then overwrite the source field.
Once you adopt the working with the processing pipelines you’ll never look back to the extractors.
Sure, pipelines are much more configurable, but it in this case they seem too complex for such a simple task.
Basically, what I need is a method to specify and hidden field (gl2_remote_ip, in this case) when configuring an extractor (without resorting to export/modify/import). How can I do that?
