Hi Tony, your last post is missing the important part: Are the stream rules evaluated with logical AND (all rules have to match) or logical OR (only one rule has to match).
Additionally, your second rule, "message field must match exactly WARN" is wrong, as the message field clearly does not only contain the word "WARN". You can either use a regular expression to match the message field or extract that word into a separate field. Cheers, Jochen On Wednesday, 21 September 2016 00:06:53 UTC+2, Tony wrote: > > Hi Jochen, > thank you for your answer and help. In the first screenshot I capture from > the field debug_level the word INFO and it works. > The second is supposed to capture the word WARN from the field message and > doesn't work. The third screenshot is the message line. > > Thanks > > Tony > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/213a75cf-28d3-43cb-90b9-7b5225080307%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
