0

I am using a pipeline connected to a .csv document, to create a new field in my windows logs on Graylog. As you can see from the screenshot, I can see the field in every log, but when I click on "show top values" to create a new widget, Graylog doesn't show anything.

I think this happens because the value in the field is not a string, in fact it's between curly brackets. The problem is that I can't find a way to show these values in a widget. I tried changing my pipeline rule but I had no results.

The following is one of the many attempts I made with the rule:

rule "eventid_windows_rule"

when

  has_field("winlogbeat_winlog_event_id")

then

let winlogbeat_winlog_italiano = lookup("eventid_widget_windows_lookup", ($message.winlogbeat_winlog_event_id));

set_field("winlogbeat_winlog_ita", to_string(winlogbeat_winlog_italiano));

end

Screenshot:

enter image description here

Lorenzo
  • 180
  • 8

1 Answers1

1

This is a string representation of a JSON object, you should try to replace

set_field("winlogbeat_winlog_ita", to_string(winlogbeat_winlog_italiano));

by

set_field("winlogbeat_winlog_ita", to_string(winlogbeat_winlog_italiano.value));
                                                                         /\
-------------------------------------------------------------------------|

This should avoid storing a JSON object representation (we expect to see "Un account ha effettuato il logon con succcesso" in winlogbeat_winlog_ita)

However, this may not be your only issue, check that the field type is not "compound": this may occur if, in the past, you sent another data-type in this field for the current index.

The best way to know if you are in this case is to click on "Fields" (in the sidebar, when searching), then, click on the field winlogbeat_winlog_ita and see it the popup says "winlogbeat_winlog_ita = string" or if it shows mixed field types.
If it is a compound value, you should rotate the active write Index, generate some logs, and search again (search from the date/time at which you performed the rotation to avoid taking old compound values into consideration)

Swisstone
  • 220
  • 3
  • 13
  • Thank you so much @swisstone . I had your same exact thought and I've tried this solution already, but without results. For some reason, when I tried to extract the value by putting ".value" at the end, nothing showed up in the logs. Finally, yesterday I found a workaround by creating two different stages in the pipeline. I am going to post my solution just in case someone needs it in the future. – Lorenzo Apr 14 '21 at 06:56