Created
April 22, 2016 08:59
-
-
Save kroepke/27de3bfa2123c5b9ef091888068526cb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule "static mapping" | |
| when has_field("status_code") | |
| then | |
| let mapping = {`404`: "not found", `500`: "server error"}; | |
| set_field("status_code", mapping[to_string($message.status_code)]); | |
| end |
@rfdrake It's really not fast, because the map will be recreated all the time. We have an open task to implement proper lookup tables, which is one of the remaining items to declare the pipelines non-experimental.
It's alluded to in Graylog2/graylog-plugin-pipeline-processor#27
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How fast is this if you have a giant mapping? I'd like to translate something like https://www.linkedin.com/pulse/cisco-syslog-logstash-daniel-gilbertson-5994871489260695552 into this, but it may be a situation where it's better to standup a logstash server just to mangle things and send them to graylog via GELF.