ok, so I misread the GROK instructions -- I had to append a ;type [;int]
after each match
min1Errors=%{INT:min1Errs;int} min5Errors=%{INT:min5Errs;int}
min15Errors=%{INT:min15Errs;int} min30Errors=%{INT:min30Errs;int}
min1Errors=%{INT:min1Errs;int} min5Errors=%{INT:min5Errs;int}
min15Errors=%{INT:min15Errs;int} min30Errors=%{INT:min30Errs;int}
hour1Errors=%{INT:hour1Errs;int} hour4Errors=%{INT:hour4Errs;int}
hour12Errors=%{INT:hour12Errs;int} dayErrors=%{INT:dayErrs;int}
weekErrors=%{INT:weekErrs;int} monthErrors=%{INT:monthErrs;int}
then I had to manually recycle the deflector and close the prior index
because otherwise it will get stuck on the string types that are in the
index
done
On Monday, June 13, 2016 at 11:17:29 AM UTC-4, Al J wrote:
>
> I'm going nutz here trying to get numeric values so that I can use field
> graphs
>
> I'm sending string-based information from a NodeJS program using the
> gelfling library
>
> I've tried sending as JSON and extracting the JSON fields -- until I
> learned that everything that is sent via the gelfling library is converted
> to strings
>
> Then I sent key=value pairs in the long_message -- but the extractor is
> not saving the fields
>
> Now I'm using the GROK patterns -- and the fields are being created, but
> they are not numeric?
>
> Here's the long_message
>
> min1Errors=0 min5Errors=0 min15Errors=0 min30Errors=0 min1Errors=0
> min5Errors=0 min15Errors=0 min30Errors=0 hour1Errors=0 hour4Errors=0
> hour12Errors=0 dayErrors=1 weekErrors=3 monthErrors=229
>
> Here's my GROK pattern
>
> min1Errors=%{INT:min1Errs} min5Errors=%{INT:min5Errs}
> min15Errors=%{INT:min15Errs} min30Errors=%{INT:min30Errs}
> min1Errors=%{INT:min1Errs} min5Errors=%{INT:min5Errs}
> min15Errors=%{INT:min15Errs} min30Errors=%{INT:min30Errs}
> hour1Errors=%{INT:hour1Errs} hour4Errors=%{INT:hour4Errs}
> hour12Errors=%{INT:hour12Errs} dayErrors=%{INT:dayErrs}
> weekErrors=%{INT:weekErrs} monthErrors=%{INT:monthErrs}
>
> I've tried NUMBER and INT (NUMBER auto-magically added a BASE10NUM to the
> outputs)
>
> argh!
>
> Is there anywhere that I can find out the type of the created fields ?
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/843c4fbd-7d01-48a6-aa0c-39417ef395d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
