We’re using Graylog 4.3.3 and my question is related to how fields from the full_message show up after clicking on a message in the All Messages widget. We have a network device that sends a lot of data in various named fields to a Syslog UDP input. When clicking on these messages in a search or stream, the All Messages widget shows all of the fields in alphabetical order. I’m trying to figure out if there is some sort of creative way to re-order the fields, so that specific (more important) fields show at the top. It seems that one ought to be able to do this via some configuration, input extractor, pipeline, or something.
Not that I know. Perhaps find the Importent fields you want and filter them out to a stream or search query.
But instead of All Mesages I have used a specific Inputs & Streams for my devices and then on the left over view it only showed those fields from those Devices.
Use saved seaches to create a view on the stream you like. Add the relevant fields to the table at the bottom any maybe create some more widgets. Remember: it is a view on a singe or multiple stream(s). All widgets will have the same query and the same timerange. A Dashboard has individual searches and timeranges for each widget.
The order is alphabetical, but the caps letters are on the top. Rename your important fields into the a version with a capital first letter. It’s not really nice from my point of view, but some kind of workaround maybe for you.
I just implemented your idea of using capital letters via a “copy input” input extractor. Works like a charm! Not a perfect solution, but a very simple workaround.
