Getting message and Message ID from a JSON Path from HTTP Input stream

(Bronius Motekaitis) #1

I am used to seeing a message that is standard as “the thing that was originally parsed” as well as a standard “message ID” in all my other Graylog inputs based on logs. However, with my shiny new “JSON Path from HTTP Input” I don’t see either. All I do see is my json path expression and result. I want, of course (of course?) to extract the actual value targeted by my json path, so in:

message%20no%20id
message no id.jpg956×326 35.4 KB

I would like the value stored in elastic search to be 15082 for the field mailgun_events_count. If we want to store that whole shebang as message, that’s find I guess, but there’s no value in it for me in this application.

When I got to Manage Extractors > Create Extractor, I don’t see how to get at a sample message, bc I don’t see anything in Recent Message, and I don’t have a Message Id to work with.

Please advise?
-Bronius

(Bronius Motekaitis) #2

Solved!
I actually am not sure what solved it… but I did do some restarting of graylog-service and elasticsearch and stepped away to brush my teeth… then I found that the messages do get populated. Here’s what I learned:

  • The Input field called source is what the json path expression and resulting value will be stored as. I stopped calling it mailgun_events_count and instead called it message. This change can be seen in the attached screenshot.
  • The json path does extract a value without need for further json extractor nor pipeline. I don’t know why it didn’t show before, but it’s there now!
  • In the process of getting from wanting to try json path from http input to having now successfully implemented it as required, I did incur a number of big java stack dump errors in both graylog server log and elasticsearch logs until I finally restarted graylog-server only, and all was well.

restarted%20and%20seeing
restarted and seeing.jpg3592×2468 398 KB

I put this additional context out there in case someone else follows the same path: The Input works you just have to get it right, and the data is extracted as desired (eventually?).

hth!

(system) closed #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.