hello, we have an appliance that sends JSON formatted log data in message field, when i try to create JSON extractor on it i’m getting Nothing will be extracted in extractor preview, also it doesn’t extract data after saving
in Example message field when creating an extractor there is what resembles perfect JSON, also i tested it with jq and it worked fine, here’s JSON sample:
{“event_type”:“Audit_Event”,“ipv4”:“192.168.0.140”,“hostname”:“era.wupb.lokalna”,“source_uuid”:“4a8c1c40-88a7-4a12-bb9b-abe464000db8”,“occured”:“30-Aug-2018 06:30:04”,“severity”:“Error”,“domain”:“Native user”,“action”:“Login attempt”,“target”:“Administrator”,“detail”:“Authenticating native user ‘Administrator’.”,“user”:“476465db-5807-4c0b-8b51-30678f753b42”,“result”:“Access denied”}
there’s no JSON parsing info in graylog logs, also setting logs to debug and greping for JSON doesn’t spit out anything
may this be the cause why JSON isn’t parsed?
also the regexp extractor conditional returns false with ^\{, so there seem to be some invisible data at the beginning
the data you highligh is the syslog “overhead” - but it might be that the field messages contain unprinted characters.
You might want to enable store full_message on this input for some time to get the full message saved (as it is received by graylog) to be able to debug this.
This can be done on the Input page when you edit the Syslog Input.
I’ve extracted bare json to another field with regex extractor “(\{.*\})” and when i try to create json extractor on that field i still get Nothing will be extracted info, also i found bytes on the beginning are UTF-8 BOM, may json parser fail because of those?
EDIT: ok, the proper json extraction regex is^\uFEFF(\{.*\}), now the json extractor shows me extracted preview, but i see no fields added in messages
EDIT2: it works, I’ve messed up with extractors order;-)