Graylog rules

graylog_rules.md

Fix problem graylog failed to parse field level of type long

Stage 0

rule "remove new line"
when
  has_field("message")
then
    let fix_message = replace(to_string($message.message), "\n", " ");
    set_field("message", fix_message);
end

rule "replace level to loglevel"
when
    has_field("message")
then
    let level_rename = regex_replace("\"level\":", to_string($message.message), "\"loglevel\":");
    set_field("message", level_rename);
end

rule "extract-json"
when
    starts_with(to_string($message.message), "{") && ends_with(to_string($message.message), "}")
then
    let json = parse_json(to_string($message.message));
    let map = to_map(json);
    set_fields(map);
end

rule "level to string"
when
    has_field("level")
then
    set_field("level", to_string($message.loglevel));
end

Stage 1

rule "req to string "
when
    has_field("req")
then
    set_field("req", to_string($message.req));
end

rule "loglevel to string"
when
    has_field("loglevel")
then
    set_field("loglevel", to_string($message.loglevel));
end