Hi, joining the JSON array into a single field is one of the purposes of the JSON extractor in Graylog. Graylog currently only supports flat JSON structures (e. g. no objects and no arrays).
Cheers, Jochen On Friday, 8 April 2016 15:44:28 UTC+2, Scipio wrote: > > I'm running Graylog 1.3.4, and the messages are coming in JSON formatted > via a Kafka server. > > I was setting up a template to handle some fields that are sent as arrays, > but it appears that the array values get joined as a single value by the > JSON extractor. When I manually poll the messages out of Kafka they appear > to be shipped as proper arrays ( "field1": ["value1","value2"] ) but when I > look at them in Elasticsearch after they are indexed I see "field1": > "value1, value2". Unless I'm missing something, it looks like the JSON > extractor in Graylog is doing this. > > Is there any way to disable the join and retain the array? > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/0af0801f-948e-44f3-87f0-0fe1169dfafe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
