I am using a pipeline connected to a .csv document, to create a new field in my windows logs on Graylog. As you can see from the screenshot, I can see the field in every log, but when I click on "show top values" to create a new widget, Graylog doesn't show anything.
I think this happens because the value in the field is not a string, in fact it's between curly brackets. The problem is that I can't find a way to show these values in a widget. I tried changing my pipeline rule but I had no results.
The following is one of the many attempts I made with the rule:
rule "eventid_windows_rule"
when
has_field("winlogbeat_winlog_event_id")
then
let winlogbeat_winlog_italiano = lookup("eventid_widget_windows_lookup", ($message.winlogbeat_winlog_event_id));
set_field("winlogbeat_winlog_ita", to_string(winlogbeat_winlog_italiano));
end
Screenshot:
This is a string representation of a JSON object, you should try to replace
by
This should avoid storing a JSON object representation (we expect to see "Un account ha effettuato il logon con succcesso" in
winlogbeat_winlog_ita)However, this may not be your only issue, check that the field type is not "compound": this may occur if, in the past, you sent another data-type in this field for the current index.
The best way to know if you are in this case is to click on "Fields" (in the sidebar, when searching), then, click on the field
winlogbeat_winlog_itaand see it the popup says "winlogbeat_winlog_ita = string" or if it shows mixed field types.If it is a compound value, you should rotate the active write Index, generate some logs, and search again (search from the date/time at which you performed the rotation to avoid taking old compound values into consideration)