Hi, I’m using graylog 4.07.
Currently I’m reading a complex json object in the message. SO I used a JsonExtractor to have the possibility to have key/value fields.
I used the dot char as key separator.
In the simulator it works as intended:
The strange situation is looking graylog stream data:
Why I see the the underscore in field key looking the graylog output?
Who can help me?
Having dots in field names are possible in Elasticsearch but not recommended - they could cause issues with inner object fields. I imagine Graylog clears that up as it processes the message through to Elasticsearch.
Which is better/clearer for use in pipelines:
$message.system.process.ppid
~or~
$message.system_process_ppid
Ok,
is there a configuration that I can use to mange complex json object? Because it arrives as String and I cannot navigate it
I am not clear on what you mean, the data arrives as a string and you would prefer numeric?
The easy way is to create a new field with the data from the old field in a pipeline:
set_field("new_field", to_long($message.old_field));
a little more challenging, create a custom mapping in Elasticsearch where you force that field in that index to be numeric (be sure to rotate the index after setting up the custom mapping):
https://docs.graylog.org/en/latest/pages/configuration/elasticsearch.html#custom-index-mappings
Sorry I didn’t explain my situation better.
Is arriving into Graylog a field where the value is an object that is serialized as string.
In fact looking data with kibana, and Graylog stream too, there are the quotes in and the escaped charactes.
So I used the json extractor.
The best approach should be, configure Graylog toanage it as an object, not as a string. In this way I can execute query using json syntax
There are functions for pipelines that allow you to process json - Functions — Graylog 4.1.0 documentation. I haven’t worked with json so I won’t be much help, but I recall there were quit a few questions in the forums here that you could search to find a solution…
Thanks a lot.
I will look it to understand where I wrong
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
