How to add/remove additional fields in Graylog?

Hi,

Thanks for your guidance, I would like to include additional fields in the fields tab in Search result. I have took a look at the extractors and configured accordingly. For instance, this is the message to parse:

2019-03-12 10:15:51 [https-jsse-nio-8020-exec-10] INFO : ASCPA7C500611418  ab.bc.cde.efg.common.rest.endpoints.component.filter End

I added JAVACLASS pattern:

(?:[a-zA-Z$_][a-zA-Z$_0-9]*\.)*[a-zA-Z$_][a-zA-Z$_0-9]*

After, in I configured the extractor and included the following Pattern:

%{TIMESTAMP_ISO8601}(?:%{SPACE})%{SYSLOG5424SD}(?:%{SPACE})%{LOGLEVEL}*(?:%{SPACE}):*(?:%{SPACE})%{WORD}*(?:%{SPACE})%{JAVACLASS:class}%{GREEDYDATA}

This provided the following Extractor preview:

WORD
ASCPA7C500611418
TIMESTAMP_ISO8601
2019-03-12 10:15:51
MONTHNUM
03
HOUR
[10, null]
message
End
SPACE
[ , , , , ]
YEAR
2019
DATA
https-jsse-nio-8020-exec-10
MINUTE
[15, null]
SECOND
51
LOGLEVEL
INFO
JAVACLASS
ab.bc.cde.efg.common.rest.endpoints.component.filter
MONTHDAY
12
SYSLOG5424SD
[https-jsse-nio-8020-exec-10]

Java class is parsed correctly, but in the Search result ALL the fields are shown under the Fields tab:

image.png443×514 13.9 KB

However, I want just to add “class” field in the list. How can I get rid of the other fields? I already attempted to keep just JAVACLASS, but I am not getting the appropriate value for the class.

Thanks for your help

as you are using GROK - check “named_captures_only” will make the trick.

Thanks a lot Jan, this option worked when including grok statements. However, I am looking at how to drop the filebeat fields from the search page. I did configuring a pipeline and relating it to a rule with the following Rule source:

rule "function removeFields"
when
    has_field("beats_type")
then
    remove_field("beats_type");
    remove_field("filebeat_@metadata_beat");
    remove_field("filebeat_@metadata_type");
    remove_field("filebeat_@metadata_version");
    remove_field("filebeat_@timestamp");
    remove_field("filebeat_beat_hostname");
    remove_field("filebeat_beat_name");
    remove_field("filebeat_host_architecture");
    remove_field("filebeat_host_containerized");
    remove_field("filebeat_host_id");
    remove_field("filebeat_host_name");
    remove_field("filebeat_host_os_codename");
    remove_field("filebeat_host_os_family");
    remove_field("filebeat_host_os_name");
    remove_field("filebeat_host_os_platform");
    remove_field("filebeat_host_os_version");
    remove_field("filebeat_input_type");
    remove_field("filebeat_meta_cloud_instance_id");
    remove_field("filebeat_log_file_path");
    remove_field("filebeat_meta_cloud_instance_name");
    remove_field("filebeat_meta_cloud_machine_type");
    remove_field("filebeat_meta_cloud_provider");
    remove_field("filebeat_meta_cloud_region");
    remove_field("filebeat_prospector_type");
    remove_field("filebeat_log_flags");
end

Thanks for your help

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.