I’m completely new to Graylog so forgive my ignorance. I’m trying to import logs from various applications using Filebeats. I setup the very first log and, as expected, it needed to be parsed. I created a Grok Extractor for the filebeats input and that worked like a charm. But… I have different formats I’m going to be sending to Graylog.
I think I’m supposed to use Pipelines to handle this situation. So I added a document_type field in Filebeats to indicate the type of log file coming in and Graylog sees that field just fine. I created a Pipeline and looked for how to use that field and tried to create this rule:
rule “parse log4j"
when has_field(“document_type”) && to_string($message.document_type) == “log4j"
But that gets a syntax error. How should I be doing this? And, another caveat, the extractor didn’t overwrite the timestamp that Graylog uses, so hopefully someone has a pointer for that as well.