When i tried to parse this json with the json extractor - i have nothing, because graylog extractor cant work with Cyrillic letters.
Then I’ve tried to use pipeline rule to replace Cyrillic word to English, but pipe doesn’t replace value in a message. But in simulated pipeline, replacing rule working fine
Here is my rule :
> rule "replace values"
> when
> has_field("message")
> then
> let fix_message = replace(to_string($message.message), "Дата", "Date");
> let fix_message = replace(to_string($message.message), "ИмяПользователя", "UserName");
> set_field("message", fix_message);
> end
You are overwriting fix_message with your second let…use fix_message in the replace there… You could try regex_replace() but I don’t know if that would make a difference. I would use the debug() function to see what Graylog actually sees in those messages. You would then tail the server log to watch what it comes up with:
$ tail -f /var/log/graylog-server/server.log
rule "replace values"
when
has_field("message")
then
let fix_message = replace(to_string($message.message), "Дата", "Date");
let fix_message = replace(to_string(fix_message), "ИмяПользователя", "UserName");
set_field("message", fix_message);
debug(concat("======= The Message: ", to_string($message.message)));
debug(concat("======= The fix_message: ", to_string(fix_message)));
end
All that being said, I am not sure you can modify $message.message - I have seen older posts that suggest you can’t… maybe that has changed?
It’s hard to tell where you are. Did you use the debug() function to see if you are able to capture and convert the Cyrillic words? Did you try regex instead?
