I notice that Tom uses Extractors on his GitHub page to sort out Firewall and AP logs and do some field assignments. I know that Graylog has always stated the Pipelines were the future direction and that Extractors may be deprecated in the future. That was the position on 2016 but haven’t seen any announcements.
With lookup tables and extractors and there is a limitation that only the single value is delivered when plugged into a Extractor but you can get all the field values when using Pipelines. For example if you are doing ASN lookups from a Maxmind data source you only get the ASN number though the Extractor, the pipeline you have to write a bit more code but you can get both the ASN number and the Company Name.
I guess it’s situational on which route to take depending on data but just wondering what other folks are doing with Graylog?