Hey,
we are having troubles with some field names.
We receive messages like the following via raw TCP input:
{"date":"2017-09-16","cs-method":"GET","proccessing_datetime":"2017-09-16T08:13:55.306Z","cs(Host)":"XXXXXXXXXXXXX.cloudfront.net","cs-uri-stem":"/monitoring.canary","cs-uri-query":"-","source":"logstash_cloudfront_processor","cs-protocol":"http","date_time":"2017-09-16 08:13:27","sc-status":"200","cs(User-Agent)":"Mozilla/5.0%2520(compatible;%2520monitis%2520-%2520premium%2520monitoring%2520service;%2520http://www.monitis.com)","cs(Referer)":"-","cs(Cookie)":"-","x-host-header":"linux.some.tld","cs-bytes":"214","x-edge-result-type":"Hit","x-forwarded-for":"-","ssl-protocol":"-","time-taken":"0.003","cs-protocol-version":"HTTP/1.1","x-edge-location":"LAX1","ssl-cipher":"-","x-edge-response-result-type":"Hit","sc-bytes":"601","x-edge-request-id":"mB3ZhsscyD52Ntn2nArolYbMuRNZrvRdAzq_S4YHptvVDYvJF7CwYQ==","time":"08:13:27","c-ip":"AAA.BBB.CCC.DD"}
We then apply the JSON extractor (default config) to it.
The “Try” button in the extractor config shows us exactly what we were expecting:
All the fields - including those starting with cs( - are shown.
The issue is that those fields are not visible once the message has been processed (image hosted on imgur as Graylog community does not allow more than 1 image for new users )
Is this some Graylog restriction, wrong config or perhaps a bug?
Thanks!