joschi
commented
9 years ago Duplicate of Graylog2/graylog2-server#449
Closed glyph closed 9 years ago
joschi
commented
9 years ago Duplicate of Graylog2/graylog2-server#449
joschi
commented
9 years ago @glyph Extractors are executed during ingestion and before messages are being indexed into Elasticsearch. Re-running extractors is not possible at the moment.
Please subscribe to Graylog2/graylog2-server#449 to get updates about the state of this feature.
I am collecting log data from a wide variety of services and servers; in many cases I'm not really sure what parts of that data I'm interested in. Sometimes I discover an interesting message I'd like to have a historical view of. If I could run an extractor over existing messages, this would be possible with Graylog.
With ELK, this is possible by writing a lot of really tedious glue scripts to re-invoke Logstash on existing indexes. With Graylog it appears to be tantalizingly close - I was trying out Graylog because the "add extractor" UI was way nicer than fiddling around with Logstash config files - but as far as I can tell it's not really possible to re-index old Graylog data using public APIs. I hope I'm wrong about this and you will just close this bug by telling me it's already possible and I missed a button somewhere :).