Hello,
I want to create new field for search, based on extractor that I’ll be able to use against access and error logs of apache logs
These logs I’m getting using filebeat
So, my actions are:
- in Search section I choose “Search in all messages”
- As a query I use “source:hosting AND facility:filebeat”
- Then I open latest message
- Near message field I click on arrow
- Selecting “Create extractor for field message”
- Selecting “Split & Index”
Then:
• Example message is: "***.***.***.*** - - [10/Jul/2018:22:19:37 +0200] “GET / HTTP/1.0” 301 203 “-” “Python-urllib/2.7"”
• Split by: “- -”
• Taget index: 1
Once I’m clicking “Try”, it shows me an appropriate match, which is IP address as expected
• Condition: Always try to extract
• Store as field: source_ip_address
• Extracting technology: copy
• Extractor title: IP address of website visitor
• No convertor is added
Then I click “create extractor” and getting error message: “Could not create extractor
Creating extractor failed: Error: cannot POST http://***.***.***.***:9000/api/system/inputs/5b26935f8e25a80e20ca7764/extractors (400)”
There is no new lines after this action in /var/log/graylog-server/graylog.log
What am I doing wrong? Should I create a new issue at github or this post here first, to find out obvious mistakes?
Thank you for your attention and I highly appreciate your time you’ll spend answering my questions 