Recently, i found some boolean related issues. as there are statements in the document:
Conditions
In Graylog’s rules the when clause is a boolean expression, which is evaluated against the processed message.
Expressions support the common boolean operators AND (or &&), OR (||), NOT (!), and comparison operators (<, <=, >, >=, ==, !=).
Issue 1:
while use “regex(…).matches” as the boolean expression and the evaluation will be false, but “regex(…).matches == true” will be true.
Issue 2:
using the following rule to set a new field “x_has_field", we will got a value of true:
rule "input message does not come with 7 fields"
when
has_field("x_error_found") == false
then
set_field("x_has_field",to_string(has_field("x_error_found")));
// set_field("x_error_found",true);
// set_field("x_errors","input message does not come with 7 fields;");
end
issue 3:
using a boolean expression with something like regex(…).matches && NOT regex(…).matches will report error, but the document does state the NOT being a boolean operator.
it is not so easy to catch up…, anything behind this ?