Hi Jiří, the "level" message field has to be a numeric value, i. e. the numeric severity level of syslog messages: https://en.wikipedia.org/wiki/Syslog#Severity_level
You can use message processor pipeline rules to change that in Graylog: http://docs.graylog.org/en/2.2/pages/pipelines.html Although in your specific case, I'd recommend converting the "level" field in Logstash. Cheers, Jochen On Thursday, 16 February 2017 09:12:00 UTC+1, Jiří Kolb wrote: > > Hello, > I have following architecture Logstash -> RabbitMQ ->Graylog > > I have issue in indexer with parsing: > 17 minutes ago graylog_0 d58fe350-f41b-11e6-8407-000c29438b97 > MapperParsingException[failed to parse [level]]; nested: > NumberFormatException[For input string: "information"] > > In logstash debug I can see message like this: > > { > "devid" => "FGVMEV0000000000", > "raw_message" => "date=2017-02-16 time=00:55:46 > devname=FortiGate-VM64 devid=FGVMEV0000000000 logid=0100040704 type=event > subtype=system level=notice vd=root logdesc=\"System performance > statistics\" action=\"perf-stats\" cpu=0 mem=47 totalsession=3 disk=0 > bandwidth=0/0 setuprate=0 disklograte=0 fazlograte=0 msg=\"Performance > statistics: average CPU: 0, memory: 47, concurrent sessions: 3, > setup-rate: 0\"", > "fazlograte" => "0", > "type" => "fortigate", > "mem" => "47", > "syslog5424_pri" => "189", > "@version" => "1", > "host" => "10.0.0.90", > "action" => "perf-stats", > "disklograte" => "0", > "device_id" => "FortiGate-VM64", > "level" => "notice", > "bandwidth" => "0/0", > "cpu" => "0", > "<189>date" => "2017-02-16", > "message" => "<189>date=2017-02-16 time=00:55:46 > devname=FortiGate-VM64 devid=FGVMEV0000000000 logid=0100040704 type=event > subtype=system level=notice vd=root logdesc=\"System performance > statistics\" action=\"perf-stats\" cpu=0 mem=47 totalsession=3 disk=0 > bandwidth=0/0 setuprate=0 disklograte=0 fazlograte=0 msg=\"Performance > statistics: average CPU: 0, memory: 47, concurrent sessions: 3, > setup-rate: 0\"", > "vd" => "root", > "logdesc" => "System performance statistics", > "disk" => "0", > "@timestamp" => 2017-02-16T07:55:39.383Z, > "setuprate" => "0", > "logid" => "0100040704", > "time" => "00:55:46", > "totalsession" => "3" > } > > > > Can you please help? I do not understand why level is not parsed it is > string like others that are parsed correctly. > > Thank you! > > Jiri > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/a3eafa9d-6a0a-4a5b-ac81-c9d4173d7562%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
