[graylog2] 2 JSON Extractor questions

Tue, 21 Jun 2016 16:34:05 -0700 

Hi, I would like to rewrite a message on an input before it hits the 
extractors. Where would I look to do this? 

I have JSON messages coming in from the fluent GELF plugin which adds it's 
own (numeric) level attribute 
which collides with the level we already have, I need to nuke one of them. 
So far all I have found is butchering
the fluent plugin, which is problematic, I'd rather rewrite the message 
from within Graylog before it hits the 
extractor chain. (see example log below) Any places in Graylog2 where you 
can rewrite input before it hits the 
extractors?

Second question is about the means by which Graylog decides to create keys 
for a message. For example in the
message below, Graylog created a key "data_orchestrator_request_code" for 
app.data_orchestrator.request.code,
However in another message type we have it created "app_event_name" for 
app.event.name (different from sample log)
all coming in over the same input using the same extractor.  In the first 
example, it lopped off the "app" completely
in the second it doesn't. 

Also, the default field separator is a '_' char and not '.' which one might 
expect. Any ideas on whats up w/ that?

Thanks,
/jos

{
"app": {
"data_orchestrator": {
"request": {
"endpoint": "document/{uuid}/file/{page}",
"code": "200",
"method": "GET",
"bytes": "11",
"count": "1",
"millis": "221",
"outputByteLength": "279040",
"parameters": {
"documentUUID": "f31b6944-13da-4f3f-a536-134eb0fbdd10",
"page": "288"
},
"orgId": "10000330",
"status": "success"
}
}
},
"jvm": {
"memory": {
"total": {
"bytes": "9889644544",
"count": "1"
},
"max": {
"bytes": "22369796096",
"count": "1"
},
"free": {
"bytes": "7096629056",
"count": "1"
}
},
"threads": {
"count": "205"
},
"processors": {
"count": "16"
},
"thread": "11159"
},
"datestamp": "2016-06-21T18:32:40.423Z",
"hostname": "ip-10-0-0-199",
"level": "EVENT",
"source": "production.dataorchestrator",
"time": "1466533960423",
"loggerName": "resource.DocumentResource"
}

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cb1a16f7-8eda-4970-ae27-e7cf3f82c716%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to