Using Extractors without inputs

tanzagraylog85 · June 21, 2019, 10:46am

Hi there,
I’m a new one on this forum and I think it is a fantastic community.

I have a question for you and I hope someone can help me.
I have a Graylog node just used as repository, so no inputs are configured. I just imported some elasticsearch indices from an other cluster to mine, in this way I can search messages directly from indexes making queries on Search tab. Now, I would like to use extractors on this messages, but I can’t, since I have no inputs running.

Is there a way to use them without any inputs configured?

Any help is appreciated.

Many thanks!

Ponet · June 21, 2019, 11:51am

I don’t believe this is possible as the messages are already stored in Elasticsearch.

You would need to utilise the GROK on either an Input or within a Pipeline.
Once the message reaches Elasticsearch, Graylog has finished its processing of the message.

tanzagraylog85 · June 21, 2019, 12:36pm

Perfect, so there’s no way to make it work

Thanks for your reply.

jan · June 21, 2019, 1:23pm

Graylog (ELK and others) do the processing only on INGEST, that is why you can’t do it after the messages are written to Elasticsearch.

system · July 5, 2019, 1:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extractor before adding to Elasticsearch? Graylog Central (peer support)	1	310	December 31, 2020
Graylog not receiving messages, unprocessed messages Graylog Central (peer support)	22	4003	June 23, 2022
Messages are not being written on index after I modified some extractors Graylog Central (peer support)	9	422	January 24, 2022
Logstash Output to Graylog 3.0 (Can't search message) Graylog Central (peer support)	3	2529	May 24, 2019
Deleted Extractors are still running Graylog Central (peer support)	4	1092	September 3, 2019

Using Extractors without inputs

Related topics