I am used to seeing a message that is standard as “the thing that was originally parsed” as well as a standard “message ID” in all my other Graylog inputs based on logs. However, with my shiny new “JSON Path from HTTP Input” I don’t see either. All I do see is my json path expression and result. I want, of course (of course?) to extract the actual value targeted by my json path, so in:
I would like the value stored in elastic search to be 15082 for the field mailgun_events_count. If we want to store that whole shebang as message, that’s find I guess, but there’s no value in it for me in this application.
When I got to Manage Extractors > Create Extractor, I don’t see how to get at a sample message, bc I don’t see anything in Recent Message, and I don’t have a Message Id to work with.
Solved!
I actually am not sure what solved it… but I did do some restarting of graylog-service and elasticsearch and stepped away to brush my teeth… then I found that the messages do get populated. Here’s what I learned:
The Input field called source is what the json path expression and resulting value will be stored as. I stopped calling it mailgun_events_count and instead called it message. This change can be seen in the attached screenshot.
The json path does extract a value without need for further json extractor nor pipeline. I don’t know why it didn’t show before, but it’s there now!
In the process of getting from wanting to try json path from http input to having now successfully implemented it as required, I did incur a number of big java stack dump errors in both graylog server log and elasticsearch logs until I finally restarted graylog-server only, and all was well.
I put this additional context out there in case someone else follows the same path: The Input works you just have to get it right, and the data is extracted as desired (eventually?).
