Pipeline - set_fields

Graylog Central (peer support)
1

Hi,
I have a problem using “set_fields” function in pipelines.
I use a regex to extract a value from the “$message.message” field.

rule “XXXX”
when

then
let s = regex ("^ (. +) \ | (. +) \ | (. +) \ | (. +) \ | (. +) \ | (. +) \ | ( . +) \ | (. +) \ | (. +) ", to_string ( message.message));

set_fields(key_value(to_string(s[“4”]), “;”, “=”, true, true, “take_first”, " ", " "), “PREFIX_NAME_”);
end

regex group 4, can assume values such as those listed below.

s ["4"]
	V = 238; P = 438; C = 40; N = 292
	P = 622
	V = 131; P = 504
	V = 156; P = 456; C = 43; N = 107

how can I define that every single field created with the set_fields function is a long type and not a string type as default?

2

hi, no idea? no help?

3

the easiert way would be to use elasticsearch template with your own index mapping

http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings

4

thanks for the suggestion.
you think there are other possible ways, even longer, but implementable directly on graylog?

5

not with the current release of Graylog - as Graylog can’t create index mappings for you.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.