Using Extractors without inputs

tanzagraylog85 · June 21, 2019, 10:46am

Hi there,
I’m a new one on this forum and I think it is a fantastic community.

I have a question for you and I hope someone can help me.
I have a Graylog node just used as repository, so no inputs are configured. I just imported some elasticsearch indices from an other cluster to mine, in this way I can search messages directly from indexes making queries on Search tab. Now, I would like to use extractors on this messages, but I can’t, since I have no inputs running.

Is there a way to use them without any inputs configured?

Any help is appreciated.

Many thanks!

Ponet · June 21, 2019, 11:51am

I don’t believe this is possible as the messages are already stored in Elasticsearch.

You would need to utilise the GROK on either an Input or within a Pipeline.
Once the message reaches Elasticsearch, Graylog has finished its processing of the message.

tanzagraylog85 · June 21, 2019, 12:36pm

Perfect, so there’s no way to make it work

Thanks for your reply.

jan · June 21, 2019, 1:23pm

Graylog (ELK and others) do the processing only on INGEST, that is why you can’t do it after the messages are written to Elasticsearch.

Topic		Replies	Views
Extractor before adding to Elasticsearch? Graylog Central (peer support)	1	328	December 31, 2020
Elasticsearch input Graylog Central (peer support)	12	3031	December 29, 2018
Applying any extractor to an input makes it stop working Graylog Central (peer support)	3	677	August 17, 2020
Messages are not being written on index after I modified some extractors Graylog Central (peer support)	9	485	January 24, 2022
Migration from ELK where to find data views or extractors Graylog Central (peer support)	11	478	September 15, 2023

Using Extractors without inputs

Related topics