Graylog: How to resolve the issue

This documentation is part of the Data mapping issues guide. You can view the complete guide here: How to resolve Graylog index data mapping problems.

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customisable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

To resolve this issue, you have two options:

The ideal solution is to standardise the data types used for fields across all systems sending data to Graylog. For example, ensure that the "level" field is always sent either as a string (such as "error", "warn", etc.) or always as a number (3, 4, etc.). This consistency prevents mapping conflicts and ensures all documents are ingested correctly.

If standardising data types across all systems is not possible, you can use Graylog's pipelines to convert data types upon receipt. Pipelines allow you to define rules that transform data according to specific conditions.

To implement this solution:

  • Go to "System" > "Pipelines" in the Graylog web interface.
  • Click "Add new pipeline" to create a new pipeline.
  • Define rules to convert the "level" field (or other fields) to the desired data type. For example, you can convert numeric levels to their corresponding string representations (such as 3 to "error", 4 to "warning", etc.).

This approach ensures that all incoming data conforms to the expected data types, thereby preventing mapping conflicts.