Hi All,
We are generating alerts based on event definition and alerts are getting triggered where events are recorded to the “All Events stream”. We are trying to modify the message by adding new fields via pipeline below is the sample rule,
rule "AlertsGeneratedInAllEvents"
when
true
then
let timestamp = to_string($message.timestamp);
set_field("@timestamp", timestamp, "", "");
set_field("alertType", "LogAlert", "", "");
set_field("alertTitle", to_string($message.message), "", "");
end
Sample message from the All Events stream,
"id" : "01DMVSDKWY6GMDKV1G",
"event_definition_type" : "aggregation-v1",
"event_definition_id" : "5d76240b9425248b2f",
"origin_context" : null,
"timestamp" : "2019-09-16 01:01:19.651",
"timestamp_processing" : "2019-09-16 01:01:33.467",
"timerange_start" : "2019-09-16 00:56:22.466",
"timerange_end" : "2019-09-16 01:01:22.465",
"streams" : [
"000000000000000000000002"
],
"source_streams" : [
"5d76240b9425248b2f"
],
"message" : "IIS_HighVolume_500_ErrorCodes: itservicedesk.graylog.com - count()=105.0",
"source" : "graylog3-cluster",
"key_tuple" : [
"itservicedesk.graylog.com"
],
"key" : "itservicedesk.graylog.com",
"priority" : 2,
"alert" : false,
"fields" : {
"parent_id" : "itservicedesk.graylog.com"
}
Also we are not able to forward the messages to GELF Output via “Manage outputs” and messages are not sent. Is there any specific reason why messages are not able to modify from the All events stream?
As I couldn’t find much information on the documentation related to all events stream. Kindly clarify and let me know your thoughts it would be very helpful.
Thanks,
Ganeshbabu R