Solved!
I actually am not sure what solved it… but I did do some restarting of graylog-service and elasticsearch and stepped away to brush my teeth… then I found that the messages do get populated. Here’s what I learned:
- The Input field called
sourceis what the json path expression and resulting value will be stored as. I stopped calling itmailgun_events_countand instead called itmessage. This change can be seen in the attached screenshot. - The json path does extract a value without need for further json extractor nor pipeline. I don’t know why it didn’t show before, but it’s there now!
- In the process of getting from wanting to try json path from http input to having now successfully implemented it as required, I did incur a number of big java stack dump errors in both graylog server log and elasticsearch logs until I finally restarted
graylog-serveronly, and all was well.
I put this additional context out there in case someone else follows the same path: The Input works you just have to get it right, and the data is extracted as desired (eventually?).
hth!