Hi, elastic search by default indexes and brakes down any input for a correct JSON format input using specific mapping rules.
https://www.elastic.co/guide/en/elasticsearch/reference/1.4/mapping-core-types.html So, by default, for a proper JSON format, elastic search directly brakes down different fields from JSON input. Now, If you want to use different mapping rules for field values, you can define your own templates to map fields as you wish. Again after defining your own mapping rules depending your input, fields will be braked down. https://www.elastic.co/guide/en/elasticsearch/reference/1.7/indices-templates.html https://www.elastic.co/guide/en/elasticsearch/reference/1.7/mapping.html Best Regards. On Sunday, January 3, 2016 at 8:55:28 PM UTC+2, Tomas Marton wrote: > > Hello, > > I'm new Graylog user and I have doubts, what is the correct way how to > normalize json message. > > One way is to use regular expression to extract each field on its own, but > I think of this solution rather uneffective. > > Second is to use json extractor and on result use copy input/ regex > extractors, but how can I get rid of unwanted fields ? > > Thanks a lot for your answers. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/d00f3df7-b418-4a50-b5eb-e7055071485f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
