Is it possible to extract message field to variables?

epiqsty · May 7, 2020, 7:32pm

Hi,

I am using Elasticsearch datasource(Graylog) in order to extract certain values from message field to the dashboard variables.

But seems message and full_message fields are somehow different from all other fields.

i.e. for example, such query:
{“find”: “terms”, “field”:“source”, “query”:“application_name:RT_IDS”,“size”: “1000” }
showing me Preview of values

but this one:
{“find”: “terms”, “field”:“message”, “query”:“application_name:RT_IDS”,“size”: “1000” }
shows None

That is not clear for me in such situation, the message field is perfectly available in Table visualization panel, as the column, but for whatever reason I can’t retrieve it for variables.

Is it possible at all?
Or the only way to do it - to extract needed values to separated fields at the Graylog side?

Thanks in advance!

fadjar340 · May 8, 2020, 12:31pm

Sometimes, if your time range is to wide, the result need little bit of time.
try to shorten the time range, then click update, to make sure, open again the variable…

Maybe it’s help

Regards,
Fadjar

epiqsty · May 11, 2020, 1:17pm

@fadjar340, thanks for the tip, but I guess, the real reason, in the Variables only indexed fields are supported.
i.e. with the 5 min interval I am getting “source” field really fast, but in case of “message” field I am not getting any Preview values …