Recently, i found some boolean related issues. as there are statements in the document:
In Graylog’s rules the when clause is a boolean expression, which is evaluated against the processed message.
Expressions support the common boolean operators AND (or &&), OR (||), NOT (!), and comparison operators (<, <=, >, >=, ==, !=).
while use “regex(…).matches” as the boolean expression and the evaluation will be false, but “regex(…).matches == true” will be true.
using the following rule to set a new field “x_has_field", we will got a value of true:
rule "input message does not come with 7 fields" when has_field("x_error_found") == false then set_field("x_has_field",to_string(has_field("x_error_found"))); // set_field("x_error_found",true); // set_field("x_errors","input message does not come with 7 fields;"); end
using a boolean expression with something like regex(…).matches && NOT regex(…).matches will report error, but the document does state the NOT being a boolean operator.
it is not so easy to catch up…, anything behind this ?