How to modify type of SEVERITY field in CEF format

KirM · September 11, 2019, 2:38pm

Hi,

Sorry for my bad english !

Here is the version of different packages what I use :

elasticsearch-6.8.2-1.noarch            
graylog-server-3.1.1-1.noarch           
graylog-3.1-repository-1-1.noarch       
mongodb-org-tools-3.6.14-1.el6.x86_64   
mongodb-org-3.6.14-1.el6.x86_64         
mongodb-org-shell-3.6.14-1.el6.x86_64   
mongodb-org-server-3.6.14-1.el6.x86_64  
mongodb-org-mongos-3.6.14-1.el6.x86_64

I use graylog to collect log from OSSEC SERVER in CEF format

When I want to search severity field with arithemtics comparaison such as “<, <=, >=,>”.
I note the wrong result, exemple : “source: AND severity:<7” , results are severity 5,7,10 …

After find type of severity field in ES, I noted is “keyworld” and not “long”

My question is, how can I modify type of this field for current index and new index ?
Otherwise, is it possible to use Pipeline or GROK or something else to modify in realtime the type of this field ?

Regards,

KirM

system · September 25, 2019, 2:38pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to perform search query: unknown field [disable_coord] Graylog Central (peer support)	5	1243	September 9, 2021
Graylog unable to connect to AWS Elasticsearch cluster Graylog Central (peer support)	10	2572	September 20, 2018
No fields to show Graylog Central (peer support)	15	2120	July 27, 2021
Could not load field information Graylog Central (peer support)	4	3026	April 6, 2018
Unrecognized field "type" after upgrade from 4.3 to 5.0 Graylog Central (peer support)	2	180	April 12, 2023

How to modify type of SEVERITY field in CEF format

Related Topics