See if I can help, but I need a bit of a clarification.
Which part of the the message string are you trying to extract? Just the piece before the word Error? In this case network “Network” or something else/more?
Can you expand on it doesn’t appear anywhere? Is it not listed in your fields on your Search tab if click the field list button on the left navigation bar? Make sure you are not filtering on any streams.
I believe it’s not showing up because you haven’t had any hits against it and it hasn’t had cause to create it. But I’m not 100% on that.
I discovered why that’s the case and as simple as this would sound, it was a major issue for me.
So the punchline is … if you create extractors, they’ll never work on previously ingested logs, they ONLY and ONLY work on new logs coming in AFTER the extractor has been created. So yes all previous log data cannot be filtered based on new extractor fields. So this is NOT a bug, it’s just the way graylog is. and It’d make sense really otherwsie, the system will require massive CPU and memeory resources to run your extractors against every single log line ever ingested.
Thanks @cawfehman for replying … I appreciate the time you took to respond. Many thanks man.
Glad you figured it out… this is where I was going. I was going to mention that the hit/misses increasing tell you that the extractor is being run against messages, just nothing is matching the pattern in your case.
Hey @cawfehman , the pattern matches perfectly, re-read my reply bro … it’s the fact that extractors don’t parse “ALREADY INGESTED” logs, they only work on new ones.
so don’t expect the fields to show up when new lines haven’t yet been ingested.
If it makes you feel any better this is also true of other log management tools such as ManageEngine Event Log Analyzer. I spent a couple of days pulling my hair out before it was explained to me.
