Thanks for the clarification, I wanted to make sure it wasn't something I was doing incorrectly.
I'll set up a template in Elasticsearch to analyze these fields. On Saturday, April 9, 2016 at 1:01:00 PM UTC, Jochen Schalanda wrote: > > Hi, > > joining the JSON array into a single field is one of the purposes of the > JSON extractor in Graylog. Graylog currently only supports flat JSON > structures (e. g. no objects and no arrays). > > > Cheers, > Jochen > > On Friday, 8 April 2016 15:44:28 UTC+2, Scipio wrote: >> >> I'm running Graylog 1.3.4, and the messages are coming in JSON formatted >> via a Kafka server. >> >> I was setting up a template to handle some fields that are sent as >> arrays, but it appears that the array values get joined as a single value >> by the JSON extractor. When I manually poll the messages out of Kafka they >> appear to be shipped as proper arrays ( "field1": ["value1","value2"] ) but >> when I look at them in Elasticsearch after they are indexed I see "field1": >> "value1, value2". Unless I'm missing something, it looks like the JSON >> extractor in Graylog is doing this. >> >> Is there any way to disable the join and retain the array? >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/607360b5-7aef-4088-8292-d298cd118cb0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
