Replace in extractor

(D Malko) #1

Hello! Can you advice? Can I use extractor to find some value and when this value exist store to the field some othe value. Example: If value snmp exist in message, store in field true. To get finally -> (SNMP_FIELD: true)
I will be very grateful for your help!

(Jochen) #2

You can use the processing pipeline for that:

(D Malko) #3

Thank you! Exactly what is needed.
Can I use pipeline after extractor?

  1. Extractor adding new field SNMP
  2. Add pipeline:
    rule "test"
    set_field(“SNMP”, “true”);

(Jochen) #4

Yes, depending on what the order of message processors is. See System/Configurations in the Graylog web interface.

(D Malko) #5

I am grateful to you for your help!

(system) closed #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.