Replace in extractor

Hello! Can you advice? Can I use extractor to find some value and when this value exist store to the field some othe value. Example: If value snmp exist in message, store in field true. To get finally -> (SNMP_FIELD: true)
I will be very grateful for your help!

You can use the processing pipeline for that: http://docs.graylog.org/en/2.3/pages/pipelines.html

Thank you! Exactly what is needed.
Can I use pipeline after extractor?
Example:

  1. Extractor adding new field SNMP
  2. Add pipeline:
    rule "test"
    when
    has_field(“SNMP”)
    then
    set_field(“SNMP”, “true”);
    end

Yes, depending on what the order of message processors is. See System/Configurations in the Graylog web interface.

I am grateful to you for your help!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.