Has anyone considered a means for complex event processing?
I’d like to be able to correlate events over a period of time (longer than seconds, shorter than days). Has anyone found a viable solution to this?
My current idea is utilizing Drools Fusion, but I am unsure as to how easily I can incorporate it into Graylog.
Has anyone attempted to do this, or do you know if it’s even possible?
Can you give some examples of correlation you want to perform? Most likely my answer will be to use the REST APIs to execute searches as batch analysis in your own script or plugin. 
Sort of like "if X occurs, look and see if Y then Z occurs within a length of time. If not, no alert."
Or “If X, Y, and Z occur within a short period of each other, alert.”
I’m trying to sort out non-issue and false positive alert messages.
I know I can sort out messages through the pipelines, but they can’t do that over a length of time. Unless I’m mistaken.
The Graylog processing engine is not designed for this and running scheduled searches against the REST APIs is a much better and more scalable option.
Could you explain what you mean exactly? I’m still new to this.
Write a script that connects to the Graylog REST APIs (API browser available at System -> Nodes -> API Browser) and executes multiple, sequential searches and analysis methods to do the correlation.
Fair enough. Sounds like I may have a lot of work ahead of me then.
Thanks for the help!
