Hi!
I'm using the pipeline feature of Graylog and have a behavior which I don't
understand.
First the description of my Graylog setup
Message Processors Configuration
The following message processors are executed in order. Disabled processors
will be skipped.
#ProcessorStatus
1 Message Filter Chain active
2 Pipeline Processor active
I've created two rules.
Rule 1 looks like
rule "has_test_field"
when
has_field("test")
then
end
Rule 2 looks like
rule "remove_test_field_if_contains_value"
when
contains(value:to_string($message.test), search:"value")
then
remove_field("test");
end
I've created a pipeline with two stages
Stage 1 contains Rule 1 and stage 2 contains Rule 2
I've assigned the pipeline to stream "Test_stream_1" and have a second
stream with name "Test_stream_2" with no pipeline attached to.
When a message comes in it is routed in "Test_stream_1" and
"Test_stream_2".
As I understand pipelines, the message should have removed the field
"test", when it contains value "value" and it is routed to "Test_stream_1"
and should still contains field test, when it's routed to "Test_stream_2".
But the field test is removed in "Test_stream_2" too.
So what I have to do, so that the field test still exist in "Test_stream_2"
and is removed in "Test_stream_1"
Thank for the answer!
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/6ec49c08-864f-4d41-a47c-b9125dab1d9b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
