Hi, I know it's not what you asked for, but I think using the new pipeline processor can help you with that. You can find it in Graylog 2.0, if you want to try it. Here's some documentation: http://docs.graylog.org/en/2.0/pages/pipelines.html
Regards, Edmundo > On 10 Jun 2016, at 10:41, nimmie <[email protected]> wrote: > > Hi, > I would like to ask you how to deal with $SUBJ? > > Additional question marks: > a. I need something like logstash mutate -> remove_field functionality: > feasible in Graylog? > b. after some examination: is the Graylog correct/only tool "drools"? > (pipeline procesing still marked as experimental) > c. what is exact processing order in Graylog (from my issue point of view): > 1. input filter with extractor (created via GUI) 2. drools file *.drl? > d. where is the best starting point for learning drools? not the link in > graylog docs, but where can I find e.g. list of "methods" (e.g. "add.Field")? > > My current set-up: > 1. local file with logs > 2. logstah for file processing (LS sending json to RabbitMQ) > 3. RabbiMQ > 4. Graylog (input with RawAMPQ): used JSON extractor - working, but I need to > remove "message" field (remove data duplication) > > Thanks in advance. > nimmie > > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/b49e3a46-3e46-457d-bd04-5cc34942c2dd%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/0B42A463-2F40-4675-AF2C-BCFC77065856%40graylog.com. For more options, visit https://groups.google.com/d/optout.
