These are my two inputs and the extractor behind them
Raw/Plaintext TCP JSON Extractor ONLY (Raw/Plaintext TCP) running
On node 3b7c3971 / graylog
Show received messages Manage extractors Stop input More actions
recv_buffer_size: 1048576
port: 5556
tls_key_file:
tls_key_password: *******
tls_client_auth_cert_file:
max_message_size: 2097152
tls_client_auth: disabled
override_source:
bind_address: 0.0.0.0
tls_cert_file:
JSON(Flatten Structures=disabled) (JSON)
Details Edit Remove
Trying to extract data from message into message, leaving the original
intact.
Configuration:
flatten: false
key_separator: .
list_separator: ,
kv_separator: =
---------------------------------------------------------------------------------------
JSON Extractor (flatten structures=enabled) (Raw/Plaintext TCP) running
On node 3b7c3971 / graylog
Show received messages Manage extractors Stop input More actions
recv_buffer_size: 1048576
port: 5557
tls_key_file: admin
tls_key_password: *******
tcp_keepalive: true
tls_client_auth_cert_file:
max_message_size: 2097152
tls_client_auth: disabled
override_source:
bind_address: 0.0.0.0
tls_cert_file:
flatten json (JSON)
Details Edit Remove
Trying to extract data from message into message, leaving the original
intact.
Configuration:
flatten: true
key_separator: .
list_separator: ,
kv_separator: =
---------------------------------
Please let me know if you need any further information to help me. The
example I provided below shows that value of key abc is [[{t=value1,
v=154.99}, {t=value2, v=0.0}]]. I cannot query individual t, and v in it.
Whereas splunk, allows it. Now I am working on testing if ELK can do this..
Any ideas ?
Thanks
Tushar
On Saturday, February 13, 2016 at 12:16:41 PM UTC-8, Tushar Goel wrote:
>
> Hi Jochen,
>
> Sorry, did not see this. I did not get any notification that someone
> replied to this. I am new to google groups.
> I used netcat to send data on tcp raw data input finally. Since,my primary
> objective is to test its ability to parse our logs(which are nested
> structures)
> while read x; do echo "$x"|nc IP 5556;done <error_case.log
>
> That is where most of the open source splunk alternatives fail with our
> use case. This functionality is very critical to us.
>
> I also replied to you on another thread, pasting here as well
>
>
> We are looking for something that parses our nested json logs. I tested
> graylog but it fails at parsing nested arrays. Not even flattening
> structures helps. Any suggestions?
> For example:
> abc[[{t=value1, v=154.99}, {t=value2, v=0.0}]]
> flatten structures=enable or disabled in json extractor, it remains the
> same.
> Thanks
> Tushar
>
> However
>
> On Tuesday, December 29, 2015 at 4:36:57 AM UTC-8, Jochen Schalanda wrote:
>>
>> Hi,
>>
>> did you start a GELF TCP input on the Graylog server you're trying to
>> send the messages to and is it accessible from the machine the Graylog
>> Collector is running on?
>>
>> Additionally, the type setting for the GELF output in the Graylog
>> Collector configuration is wrong. It should be "gelf" instead of "file"
>> (see http://docs.graylog.org/en/latest/pages/collector.html#gelf-output).
>>
>>
>> Cheers,
>> Jochen
>>
>> On Monday, 28 December 2015 13:49:05 UTC+1, Tushar Goel wrote:
>>>
>>> Hi,
>>>
>>> Testig to send json logs to GRAYLog.
>>> Getting below error in graylogcollector-stdout.2015-12-28
>>>
>>> 2015-12-28T04:46:13.626-0800 ERROR [gelfTcpTransport-1-1]
>>> gelfclient.transport.GelfTcpTransport - Connection failed: Connection
>>> refused: no further information: /XX.XXX.XXX.XX:12201
>>>
>>> Please advice.
>>> Here is my collector.conf
>>>
>>> server-url = "http://XX.XXX.XXX.XX:12900/";
>>>
>>> inputs {
>>> xbec_transactions {
>>> type = "file"
>>> path = "C:\\Users\\tugoel\\Documents\\GSP\\Temp\\xbec_transactions.log"
>>> charset = "utf-8"
>>> content-splitter = "newline"
>>> }
>>> //win-eventlog-system {
>>> // type = "windows-eventlog"
>>> // source-name = "System"
>>> // poll-interval = "1s"
>>> //}
>>> // win-eventlog-security {
>>> // type = "windows-eventlog"
>>> // source-name = "Security"
>>> // poll-interval = "1s"
>>> // }
>>> }
>>>
>>> outputs {
>>> gelf-tcp {
>>> type = "file"
>>> host = "XX.XXX.XXX.XX"
>>> port = 12201
>>> }
>>> }
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/bfc3c7d3-81c4-4c2c-adbd-a1c1595262eb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
