Thanks Jochen.
I'm looking at graylog pipelines docs, but I think I'm really confused :-/
I've created a pipeline with one rule that extracts key=value pairs:
rule "Extract K=V"
when true
then
set_fields(key_value(to_string($message.message)));
end
Then I've created a stream of messages, where only messages with the
intended format will pass through. After that, I've connected the stream to
the pipeline. Executing the "Simulate processing" function, fields get
extracted as expected. However, graylog keeps indexing the original message
into elasticsearch!
What am I missing? I think there must be something that I'm missing,
because we can route the same message to multiple streams. If it worked the
way I'm thinking, we would end up with duplicated messages on elasticsearch.
I've also looked at stream outputs, but there's no ES output. :-/
Can you shed some light here please?
Thanks.
On Tuesday, February 14, 2017 at 3:03:06 PM UTC, Jochen Schalanda wrote:
>
> Hi Rui,
>
> On Tuesday, 14 February 2017 13:15:13 UTC+1, Rui Goncalves wrote:
>>
>> Why it's not possible to remove a field from the received message using
>> extractors?
>>
>
> This was a deliberate decision at the time to prevent people from
> wondering why some field didn't exist anymore due to stacked or complicated
> extractors.
>
>
>> However it's in an experimental phase (with potential stability and
>> performance issues) and it seems overkill for doing something so simple as
>> dropping a field.
>>
>
> The message processing pipelines aren't experimental anymore in Graylog
> 2.2.0.
>
> Cheers,
> Jochen
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/c4e6b5b6-be05-4461-a167-0418bbdafc5e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.