if there was a “time” field in my log ,i will not able to see them in graylog…
successed:
echo '{"version": "1.1","atime":"2018-01-12 16:22:00 ","short_message":"with_time","full_message":"Backtrace here\n\nmore stuff"}' |nc -w1 -u graylog-server 9999
failed:
echo '{"version": "1.1","time":"2018-01-12 16:22:00 ","short_message":"with_time","full_message":"Backtrace here\n\nmore stuff"}' |nc -w1 -u graylog-server 9999
What type of input have you created in Graylog and what’s its complete configuration?
Are you using any extractors or pipeline rules in your Graylog cluster (for that input)?
gelf-udp
bind_address: 0.0.0.0
decompress_size_limit: 8388608
override_source:
port: 9991
recv_buffer_size: 262144
Please answer all questions.
Also, you’re using port 9999/udp in your first post but 9991/udp in your second post.
Sorry,i typed wrong port number,it’s 9991,and there is No extractors or pipeline rules used for the input…
I’ve tried to reproduce your problem, but everything works as it should (GELF UDP input on port 12201/udp, no extractors, no pipeline rules).
echo '{"version": "1.1","atime":"2018-01-12 16:22:00 ","short_message":"with_time","full_message":"Backtrace here\n\nmore stuff"}' |nc -w1 -u graylog.example.org 12201
Result:
echo '{"version": "1.1","time":"2018-01-12 16:22:00 ","short_message":"with_time","full_message":"Backtrace here\n\nmore stuff"}' |nc -w1 -u graylog.example.org 12201
Result:
resolved:
WARN : org.graylog2.indexer.messages.Messages - Failed to index message: index=<k8s_26> id=<54d314c0-058c-11e8-b29c-52540040b828> error=<{“type”:“mapper_parsing_exception”,“reason”:“failed to parse [time]”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Invalid format: “2018-01-12 16:22:00” is malformed at " 16:22:00"”}}>
https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-field-mapping.html