Replace in extractor

Hello! Can you advice? Can I use extractor to find some value and when this value exist store to the field some othe value. Example: If value snmp exist in message, store in field true. To get finally -> (SNMP_FIELD: true)
I will be very grateful for your help!

You can use the processing pipeline for that:

Thank you! Exactly what is needed.
Can I use pipeline after extractor?

  1. Extractor adding new field SNMP
  2. Add pipeline:
    rule "test"
    set_field(“SNMP”, “true”);

Yes, depending on what the order of message processors is. See System/Configurations in the Graylog web interface.

I am grateful to you for your help!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.