Pipeline - how can i search by rename fields


(Matej Rycek) #1

hi,

I am trying to create rule for rename fields from my netflow fields and after i rename the field by pipeline i cannot search by rename field.

What i am doing wrong?
Please help.

My rule:

rule "neflow normalizace"
when
    has_field("source") AND contains(to_string($message.source), "10.0.10.1")
then

     rename_field("nf_dst", "dst");
end 

Search:


(Jochen) #2

The colon character (’:’) is a reserved character in the Lucene query language. You have to escape it as described in the documentation:
http://docs.graylog.org/en/2.3/pages/queries.html#search-query-language


(Matej Rycek) #3

thank you very much jochem!

this was my fault.

best regards,
Matej.


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.