i have a correct incoming JSON transfer to my Graylog instance.
my msg field has multiple words like “ET POLICY Vulnerable Java Version 1.7.x Detected”
i want to add quick values to my dashboard using this msg field.
But i get not the full text message as value, i get each word as value on my dasboard
If you need more informations let me know.
I hope somebody can help me.
How are you ingesting these messages?
Which extractors or pipeline rules are you using to process these messages?
Also, please provide some example messages.
I have an csv output of snort IDS and use a unix socket to transmit the infos to the tdagent/fluentd, which transmit the correctly JSON format to graylog (including the required field timestamp and source-host).
Because of the csv output i have no pipelining rules in graylog. The JSON goes dedicated from my tdagent to graylog.
msg examples:
-“ICMP test detected”
-“Consecutive TCP small segments exceeding threshold”
-“ICMP test detected”
There auch thousands of different messages. I want as example display the top 5 of messages. Maybe its the message “ICMP test detected”
If you want to use anything from that JSON payload, you either have to use a JSON extractor or a pipeline rule to parse the JSON and set the message fields accordingly.
Is this the necessary way, if i have the message field already “set” via transmission of the mentioned JSON-string?
Because the fields are correctly set in graylog…
The “message” field is analyzed by default, which means it’s tokenized and each token is indexed. That’s why you get “single words” when running Quick Values on that field.