Syslog TCP input normalization

gsmith · May 11, 2022, 11:37pm

Hello,

I see, if you referring to the default fields such as timestamp, message, etc… then you would need to create a new index template and attach it to new index set.

Here is a couple ideas depending on this environment. It is possible to change specific fields type from string to integer (or float). this can be done using the curl command in Elasticsearch.

Examples:

First you would get the mapping

curl -X GET "localhost:9200/graylog_1600/_mapping?pretty"

Update mapping API | Elasticsearch Guide [8.11] | Elastic

Then adjust those fields as needed.

curl -X PUT "localhost:9200/graylog_1600/_mapping?pretty" -H 'Content-Type: application/json' -d'
{
  "properties": {
    "email": {
      "type": "integer "
    }
  }
}
'

Or use a Pipeline something like this.

Pipeline - Create field with value from another field - #2 by tmacgbay

If your going the pipeline route @tmacgbay would know better then I would.

Hope that helps

Topic		Replies	Views
/var/log/messages full Graylog Central (peer support)	32	4828	February 10, 2020
Correct Input Settings Graylog Central (peer support)	11	4713	February 12, 2020
Not seeing any messages after configuring an input Graylog Central (peer support) pipeline-rules	12	827	March 17, 2020
How to get a raw version and a parsed version of the same messages Graylog Central (peer support) pipeline-rules	3	707	March 3, 2022
Help with understanding a few key fundamental conepts of graylog. Raw vs Syslog input Graylog Central (peer support) basic-configuration	25	1354	January 26, 2022

Syslog TCP input normalization

Related Topics