Alexander,
My understanding of streams (and I'm having my own issues with them, so I
might be wrong) is that they are implemented by tagging the message with
the applicable stream IDs at the time of processing. So basically each
"stream" is really a search that says "show me all messages with this
stream ID tagged on it". The important ramification of that for your use
case is that there is only one copy of the message data - the streams are
just pointers to that single copy. So if you modify that data in one
stream, that modification is global.
Cheers,
Daniel
On Wednesday, October 26, 2016 at 11:29:57 AM UTC-4, Alexander Stautner
wrote:
>
> Hi!
> I'm using the pipeline feature of Graylog and have a behavior which I
> don't understand.
>
> First the description of my Graylog setup
>
> Message Processors Configuration
>
> The following message processors are executed in order. Disabled
> processors will be skipped.
> #ProcessorStatus
> 1 Message Filter Chain active
> 2 Pipeline Processor active
>
>
> I've created two rules.
>
> Rule 1 looks like
> rule "has_test_field"
> when
> has_field("test")
> then
> end
>
> Rule 2 looks like
> rule "remove_test_field_if_contains_value"
> when
> contains(value:to_string($message.test), search:"value")
> then
> remove_field("test");
> end
>
> I've created a pipeline with two stages
>
> Stage 1 contains Rule 1 and stage 2 contains Rule 2
>
> I've assigned the pipeline to stream "Test_stream_1" and have a second
> stream with name "Test_stream_2" with no pipeline attached to.
>
> When a message comes in it is routed in "Test_stream_1" and
> "Test_stream_2".
>
> As I understand pipelines, the message should have removed the field
> "test", when it contains value "value" and it is routed to "Test_stream_1"
> and should still contains field test, when it's routed to "Test_stream_2".
> But the field test is removed in "Test_stream_2" too.
>
> So what I have to do, so that the field test still exist in
> "Test_stream_2" and is removed in "Test_stream_1"
>
> Thank for the answer!
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/de4c8760-fa99-40f2-a0fe-c9cb32e0c652%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
