I’ve been trying to figure out a clean way to force lowercase on all field names. So far, I haven’t found a way to capture/iterate through every field in a pipeline parser. Something like $message.* or a way to use value substitution would be fantastic.
I wish I could figure out something like:
rename_field($message.$field, lowercase(to_string($message.$field));
Any suggestions?
I could not imagine a way to make this work - currently. Sorry.
Yeah. That was the end result I found after pouring over available functions. You can see the use case when receiving a large amount of varied log sources using something like json though, right?
My current options are to manipulate the case before sending, which puts load on the log sources- when the parsing logic load is already designed to be after input in graylog.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
