running version 4.2x
i know in past i could disable the normalization of logs on input syslog tcp, i think it was using kv but i cant remember where i could disable or remove that now. due to all fields get in string and i want to use pipeline rules i created for the normalization . mayby not possible now in newer versions of graylog to disable/remove that default parsing? sure i can use raw syslog input for this…
Hellu i want to use my own rules to normalize the logs that are normalized on the syslog tcp input, by default it parse it and set all fields to string.
so i want to stop the parsing that is done on the syslog input by default, this not in any extractor since that is empty.
I see, if you referring to the default fields such as timestamp, message, etc… then you would need to create a new index template and attach it to new index set.
Here is a couple ideas depending on this environment. It is possible to change specific fields type from string to integer (or float). this can be done using the curl command in Elasticsearch.
Examples:
First you would get the mapping
curl -X GET "localhost:9200/graylog_1600/_mapping?pretty"