Some background:
I have a large filebase of old logfiles that should be imported to graylog. Using a filter I calculate a field "host" that contains the FQDN of the originating server so one can see the logs of a particular server in the search.
But the field is set to "fqdn.log.storage,fqdn.calulated.host".
This happens because the plugin is initialized in the notifier.rb with
This way host will always contain the fqdn of the host logstash is running on and the 'host' field that I previously extracted from the logs will be added to the Socket.gethostname based 'host' field resulting in this "two.hosts,in.field".
This can only be prevented when I initialize the plugin with a different field as sender, which will overwrite the 'host'. As defining 'sender' in the config block isn't mandatory I thought I could just provide the correct value in 'host'. Even defininig sender => "%{host}" in the config will result in the two hostnames.
# Precondition
# event['host'] = 'different.server.com'
# does not work
gelf {
host => "my.graylog.server"
sender => "%{host}"
}
# does not work either
gelf {
host => 'my.graylog.server"
}
# Resolved
# event['sourcehost'] = 'my.calculated.fqdn'
gelf {
host => 'my.graylog.server"
sender => "%{sourcehost}"
}
The last examle will work as expected. I am not sure if this should be somehow fixed in the code or be made clear in the documentation. But it took me some time to figure out what happend here and why my data was broken.
Some background: I have a large filebase of old logfiles that should be imported to graylog. Using a filter I calculate a field "host" that contains the FQDN of the originating server so one can see the logs of a particular server in the search.
But the field is set to "fqdn.log.storage,fqdn.calulated.host".
This happens because the plugin is initialized in the notifier.rb with
This way host will always contain the fqdn of the host logstash is running on and the 'host' field that I previously extracted from the logs will be added to the Socket.gethostname based 'host' field resulting in this "two.hosts,in.field".
This can only be prevented when I initialize the plugin with a different field as sender, which will overwrite the 'host'. As defining 'sender' in the config block isn't mandatory I thought I could just provide the correct value in 'host'. Even defininig sender => "%{host}" in the config will result in the two hostnames.
The last examle will work as expected. I am not sure if this should be somehow fixed in the code or be made clear in the documentation. But it took me some time to figure out what happend here and why my data was broken.
Environment: