Problem in json extractor

pine1455 · July 29, 2019, 4:38pm

Hi,
I am new in graylog. It should be an easy question, sorry!
I have a json log messages but can not run my extractor. I think the problem is program name and pid(program[91129]: ) in the beginning of the message body. any way to omit this part?!

sample message body:

program[91129]: {“timestamp”: “2019-07-29”, “flow_id”: 1964529267423472, “in_iface”: “eth0”, “event_type”: “dns”, “src_ip”: “192.168.10.6”, “src_port”: 45885, “dest_ip”: “8.8.8.8”, “dest_port”: 53, “proto”: “UDP”, “dns”: {“type”: “query”, “id”: 1989, “rrname”: “detertal.firefox.com”, “rrtype”: “A”, “tx_id”: 0}}

jan · July 30, 2019, 6:52am

you might want to switch to the processing pipelines for messages extraction.

But - you have nested json as logfile what is currently not supported: https://github.com/Graylog2/graylog2-server/issues/5945
So - sorry no real answer here to your question if that is the reason or not.

system · August 13, 2019, 6:52am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON extractor not working Graylog Central (peer support) pipeline-rules	10	5668	August 22, 2020
Can't extract from JSON Graylog Central (peer support) pipeline-rules	5	1748	September 7, 2020
Failing JSON Extractor Graylog Central (peer support) pipeline-rules , debuggingpl	14	5442	December 28, 2018
JSON extractor not working? Graylog Central (peer support)	5	4553	September 24, 2018
Problem with JSON extractor Graylog Central (peer support)	4	1993	June 15, 2017

Problem in json extractor

Related Topics