Extractors not creating fields for input

smonteleone · June 13, 2017, 7:36pm

Hey guys,
I have an input for Palo Alto that was created using the Palo Alto content pack available in the marketplace, which includes all the streams, dashboards, and extractors. This was working fine, but it seems that after I updated to 2.2 last week the extractor fields for this input are not creating the fields. If I test the extractors manually they work in the test, but they just don’t work. I have tried deleting the input and recreating it manually, manually creating extractors, using different types of extractors, different types of inputs (gelf, udp, raw, etc), and nothing is working. The only other thing that has changed is implementing the threat intel plugin from the marketplace and creating the pipeline rules for that. I hope this is something that is really obvious that I’m missing.

Thanks

jtkarvo · June 14, 2017, 5:54am

is the field type in the elasticsearch index the same / compatible with that that your extractor creates?

See https://www.elastic.co/guide/en/elasticsearch/reference/2.3/indices-get-field-mapping.html

and

http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html

system · June 28, 2017, 5:54am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Searching on extracted fields Graylog Central (peer support)	3	490	October 4, 2019
Palo Alto 9+ input no more working after update Graylog Central (peer support)	3	271	November 30, 2021
Changing the Extractors field mapping Graylog Central (peer support)	2	604	February 21, 2019
(Still) Unable To Edit Extractors Graylog Central (peer support)	11	884	August 7, 2021
Indexer failures perhaps due to extractor weirdness Graylog Central (peer support)	2	506	September 30, 2019

Extractors not creating fields for input

Related Topics