How to drop/truncate fields in JSON extractor?

leshik · February 5, 2020, 2:50am

Hi there,

I need advice on how to better configure Graylog for my use case. I’m sending logs from the Rails app in json format (using lograge gem), and then in Graylog I use JSON extractor to parse these into fields. This works quite well except two corner cases:

There are many fields in these JSON messages that I don’t need. They quickly hit ElasticSearch limit of 1000 fields. How these could be dropped, preferably using some wildcard or regex?
There are fields those lengths exceed 32kb (Base64 encoded files), thus they are not indexed. How these could be truncated to some sane length?

jan · February 5, 2020, 8:58am

he @leshik

the json extractor does not give you the option. One option would be to reduce the noise from your application … but you could also delete fields in Graylog with the processing pipeline and the function remove_field( https://docs.graylog.org/en/3.2/pages/pipelines/functions.html#remove-field )

system · February 19, 2020, 8:58am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON extractor and Cut mode Graylog Central (peer support)	3	656	January 29, 2019
Extractor missing fields. How can I troubleshoot? Graylog Central (peer support)	14	3550	December 27, 2017
Remove some fields from message Graylog Central (peer support)	7	1229	August 25, 2022
Problem with JSON extractor Graylog Central (peer support)	4	2045	June 15, 2017
Removing key from pipeline map Graylog Central (peer support)	3	1752	October 4, 2019

How to drop/truncate fields in JSON extractor?

Related Topics