Graylog 4.X Not Parsing All JSON Fields with parse_json()

jandrusk · April 13, 2021, 2:27am

I’m sending Suricata logs from PFSense to Syslog-NG to Graylog. I have a Graylog Pipeline with the following rule that parses some, but not all of the embedded JSON fields:

rule “suricata_strip”
when contains(to_string($message.message), “kiera suricata”) then
let m = regex_replace(“kiera suricata: “, to_string($message.message),to_string(””) );
let json_fields = parse_json(m);
set_fields(to_map(json_fields));
end

I’m using a regex_replace to remove the leading string that Syslog-NG is adding, so it’s stripped down to pure JSON. However, when I looked at one of the messages only certain fields are parsed into new fields. Attaching two screenshots of a sample of a partially parsed message. Some messages are not parsed at all.

Any ideas?

shoothub · April 13, 2021, 7:17am

Try to use json extractor, sometimes extractor is better in parsing than pipeline rule function.

Topic		Replies	Views
Parsing json pipeline not working Graylog Central (peer support)	0	53	April 8, 2025
Syslog -> input -> stream -> pipeline: JSON sources appear to be problematic Graylog Central (peer support)	3	46	February 15, 2026
Pipeline rule to extract json not working Graylog Central (peer support)	7	1191	June 27, 2022
JSON extraction in pipeline rules Graylog Central (peer support) pipeline-rules	7	5629	November 9, 2017
Pipeline Rule doesn't see extracted fields but only a few $message properties like $message.message and $message.level Graylog Central (peer support) pipeline-rules , debuggingpl	4	2343	November 29, 2017

Graylog 4.X Not Parsing All JSON Fields with parse_json()

Related topics