I’m running Graylog 5.0.3 community edition. A recent upgrade to the sidecar agent has resulted in a field name change for all winlogbeat events. Instead of beginning with “winlogbeat_” many of them now begin with “winlogbeat_winlog_”
I have not been able to identify a practical way to rename those events in winlogbeat, and I did not want to create a pipeline rule that individually renamed hundreds of fields.
At this point my thought is that if winlogbeat is moving to this new naming scheme, I might as well adopt it. So I would like to go through all of my saved searches, dashboards, alerts, pipeline rules, extractors, etc. and replace “winlogbeat_” with “winlogbeat_winlog” which should take care of just about every situation where I might experience a problem due to this naming change.
My question to the community is - is there anyway you can think of that might help me do this in a more automated way? Perhaps exporting a content pack with all relevant items and doing a text search/replace and then re-importing the content pack?
Please upvote the following feature request which would make the field management nightmare much easier once it gets emplemented (IF it ever gets implemented … ).
Thanks for the suggestion gsmith. I did try this, but unfortunately it just strips the winlogbeat_ and winlogbeat_winlog_ prefix off the fields altogether. I have had to resort to a fairly manual method of starting at inputs/extractors and working my way through pipeline rules, alerts/notifications, saved searches, and dashboards. In some cases it’s simply a replacement of “winlogbeat_” with “winlogbeat_winlog_”, but in other cases it’s an entirely different field name, such as “winlogbeat_log_name” to “winlogbeat_winlog_channel.” It’s tedious and I have chosen to purge index history, so overall a frustrating process but hopefully this is a situation that doesn’t come up very often.
A feature that would have greatly helped with this process would be if we could choose to overwrite searches, extractors, rules, dashboards, etc. during Content Pack installation. I have been able to use Content Packs to make mass modifications of field names, but without the ability to overwrite I have to do a lot of manual deletion prior to installing it. I have created a feature request here:
