Using extractors on forwarder inputs

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

I would like to configure extractors on my forwarder inputs but even though I have created the extractors, and tested them against log entries, they will not extract data.

I have noticed that if I “Show all messages” on the forwarder input (under System/Inputs) there is nothing, but if I look at the input configured on the forwarder there are logs.

2. Describe your environment:

  • OS Information: Ubuntu 22.04

  • Package Version:5.2

3. What steps have you already taken to try and solve the problem?

I have looked everywhere and I cannot find any info on this.

4. How can the community help?

Please tell me if I have done something wrong or if this is even possible?

I don’t believe you can run extractors on forwarded inputs. You need to do the extraction in pipeline rules. Forwarder inputs are a very different animal.

Also if you want to show the received messages you want to navigate to the forwarder or forwarder profile page and launch it from there.

Thanks @Joel_Duffield!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.