Is it possible to extract message field to variables?

epiqsty · May 7, 2020, 7:32pm

Hi,

I am using Elasticsearch datasource(Graylog) in order to extract certain values from message field to the dashboard variables.

But seems message and full_message fields are somehow different from all other fields.

i.e. for example, such query:
{“find”: “terms”, “field”:“source”, “query”:“application_name:RT_IDS”,“size”: “1000” }
showing me Preview of values

but this one:
{“find”: “terms”, “field”:“message”, “query”:“application_name:RT_IDS”,“size”: “1000” }
shows None

That is not clear for me in such situation, the message field is perfectly available in Table visualization panel, as the column, but for whatever reason I can’t retrieve it for variables.

Is it possible at all?
Or the only way to do it - to extract needed values to separated fields at the Graylog side?

Thanks in advance!

fadjar340 · May 8, 2020, 12:31pm

Sometimes, if your time range is to wide, the result need little bit of time.
try to shorten the time range, then click update, to make sure, open again the variable…

Maybe it’s help

Regards,
Fadjar

epiqsty · May 11, 2020, 1:17pm

@fadjar340, thanks for the tip, but I guess, the real reason, in the Variables only indexed fields are supported.
i.e. with the 5 min interval I am getting “source” field really fast, but in case of “message” field I am not getting any Preview values …

Topic		Replies	Views
Filter and display only "message" field Elasticsearch	2	2718	January 14, 2022
Get values from an array field (from elasticsearch) Elasticsearch	0	1508	February 17, 2021
Elastic Search - Extract data from message to use as grouping Elasticsearch	1	1744	January 16, 2019
Grafana/Elasticsearch field equals X value query Elasticsearch	4	5333	June 9, 2020
Trimming the variable output	0	318	March 14, 2019

Is it possible to extract message field to variables?

Related topics