Blacklist messages based on multiple conditions


(Gunnar Hilling) #1

Hello Graylog!
We are using graylog to collect log data from a lot of different systems in staging and production environments.
We would like to use alerting when error messages are coming in.
So far so good.
As usual a lot of legacy systems are used in our environment and so we receive quite a lot of messages in the ERROR category, that should be ignored in alerting.
I’m aware that I probably should use pipelines to create this logic. Also I would like to use multi-value lookup to pickup the conditions based on the source of the message being handled in the pipeline.
This is all working fine but now I’m stuck on what to do with my map/array values returned from the invocation of the lookup()-function. It seems to me I would have to implement a custom function to apply e.g. message regexes because there is no loop in the graylog functions.
I could also use drools but I’m not sure about the performance and also, as I understand the roadmap, drools will only be available as a plugin in the next major version of graylog.
I would appreciate any feedback.

Kind regards,

Gunnar


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.