I am trying to ingest some oracle table records to Graylog via GELF TCP. Some of the table fields are of type number. Some of these number fields do not have values on some records.
When I do format the GELF’s JSON - according to the documentation - I am quoting text fields, but NOT quoting number fields. Ex:
Does ingest:
“_field_text”:“my text”,
“_field_number”:9001,
…
Does NOT ingest:
“_field_text”:“my text”,
“_field_number”:,
…
when the number field of a record is null, the record is not ingested on Graylog. Non-null number fields are OK, the do ingest.
My question are:
1 Is there any configuration that can allow a record to ingest when containing a null number field to? The idea is to follow the documentation and not quote numbers/integers
2. If (as a workaround that works) I do quote the number fields also, will this be a problem for Graylog, in the sense that it recognizes the field as text and not numeric as it is?
Is the issue that the message is not ingested by Graylog (you receive some error) or that it fails elasticsearch indexing? Do you see index failures occurring related to these messages? I don’t believe Graylog GELF input should have any issue parsing the field, so I suspect it is elasticsearch but we should verify.
My suspicion is that for the message to be indexed successfully you need to provide a literal null value for the field, which for this type should be
"_field_number":null,
edit: alternatively, simply omit the field entirely when it is null if possible
I do not receive any error on the Oracle side. From Oracle it looks like the delivery was done OK.
I did check for “system events” on Graylog Search dashboard but no record is there. Also on form Overview under Index Failures it shows “No failed indexing attempts in the last 24 hours.”
Your suggestion of putting a “null” where number field has no value is right. I did tested and it worked OK. The quoting of numbers would be a more practical solution (less Oracle code), but I will go for the “null” solution to stay compliant with the elastic syntax. But I would be curious to know if sending numbers with quotes would be a problem for graylog/elastic
