How is the create_message() function used? I have this…
rule "create_terse_message"
when
true
then
let msg = create_message("sample message");
end
What do I do after that? Is msg automatically created and put into the All Messages default stream? Or do I have to use route_to_stream() using msg as a parameter?
Other observations:
The graylog website documentation for create_message() says “currently incomplete”. What does that mean?
With the above code I have not observed any message with the text “sample message” created. But I have observed that the server slows down, the process buffer fills up and the server crashes. Is this possibly because without a proper when clause there is a good chance the new message will create a new message, which creates a new message in an infinite loop? That’s what I’m beginning to suspect. If that’s the case, maybe the documentation should include a warning for create_message() and clone_message(). Or even better, Graylog should have something like a TTL in a message that gets decremented when create_message() and clone_message() is called. If the TTL reaches zero it stops processing. That would be an excellent safety mechanism because even awesome programmers make mistakes sometimes!
CAVEAT: I have not tested or worked this specifically.
I don’t see in the docs where it says “currently incomplete” where do you see that? I think at that point in time it creates a new message but it isn’t clear where the new message will start processing since it isn’t being picked up by a stream… my logical guess is that message starts at the beginning of the current stream… wouldn’t be too hard to test out I guess with a few debug() statements and a testing stream/pipeline or two. This would follow with what you are surmising… as the new message starts the pipeline from the top, it hits your always on rule and then creates a new message… cats and dogs living together after that…
Perhaps the documentation should state the “new” message starts at the beginning of the stream to be clear about how the processing flows… there is a section in the forum for that here…
What are you actually trying to accomplish anyway?
What I’m trying to accomplish is I need to take the current message, delete all the fields other than the original text of the original message and then store that message. The reason I’m trying to do that is the Input did a bunch of grok’ing and setup a bunch of fields. I’m taking that message and want to make a copy to a new stream so I can apply new rules to it. But I want to start my rule processing on a clean original message.
I’m going to give it a try with an better when clause so it doesn’t re-process the same message infinity. That should help.
If you have a link to a blog/forum that describes how to use the debug() system please post it here. Thanks!
