is there any default functionality in terms of key value pairs extraction?
Why I am asking - I found some fields in my graylog instance which were NOT defined in any extractor. So i deleted the whole INPUT, created a new (empty) one without any extractors and … suprise … all the fields are extracted again (looks like KVP)? Its a little bit spooky for me
I am running latest Graylog 2.4.0 Version cluster with 3 nodes and 5.4.x ES.
Received by
GLOB Fortigate UDP on 12ef998f / nw-glog3
Stored in index
graylog_5
Input Extractors:
Extractors of GLOB Fortigate UDP
Extractors are applied on every message that is received by this input. Use them to extract and transform any text data into fields that allow you easy filtering and analysis later on. Example: Extract the HTTP response code from a log message, transform it to a numeric field and attach it as http_response_code to the message.
Find more information about extractors in the documentation.
Add extractor
Start by loading a message to have an example to work on. You can decide whether to load a recent message received by this input, or manually select a message giving its ID.
Get started
Configured extractors
This input has no configured extractors.
And it seems I am hitting the same bug as described in bottom - url field in syslog will create a lot of unusable fields (until maximum fields limit in ES reached and ES stops … yihaa). Any chance to disable this functionality? further … we are using different field names … so no need for using default kvp extraction…