Replace in extractor


(D Malko) #1

Hello! Can you advice? Can I use extractor to find some value and when this value exist store to the field some othe value. Example: If value snmp exist in message, store in field true. To get finally -> (SNMP_FIELD: true)
I will be very grateful for your help!


(Jochen) #2

You can use the processing pipeline for that: http://docs.graylog.org/en/2.3/pages/pipelines.html


(D Malko) #3

Thank you! Exactly what is needed.
Can I use pipeline after extractor?
Example:

  1. Extractor adding new field SNMP
  2. Add pipeline:
    rule "test"
    when
    has_field(“SNMP”)
    then
    set_field(“SNMP”, “true”);
    end

(Jochen) #4

Yes, depending on what the order of message processors is. See System/Configurations in the Graylog web interface.


(D Malko) #5

I am grateful to you for your help!


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.