Deleted Pipeline Rule Name showing in search

Hello,
I am testing Pipelines and created the below Rule “Detect Undefined” and Pipeline which is connected to “All messages” and when i search for the rule name in All messages i get results
The issue is when i deleted the Rule “Detect Undefined” and the Pipeline i am still getting results when searching for “Detect Undefined” in the last 5min! is that normal ? why should i remain getting these messages after an hour of pipeline and rule deletion? (the rule is satisfied and there is an Undefined string in the message).
But the rule is deleted ! and should not be running anymore…

Here is a screenshot after deleting the pipeline and rule(field pipelineDetection was set in the rule shown below)
image

Graylog version: Graylog 2.4.7+9116ead
Rule details:

rule "Detect Undefined"
when
   contains(to_string($message.message),"Undefined",false)
 then
  set_field("pipelineDetection","Detect Undefined");
end

Regards,

Check inside (edit) the pipeline stage you were working with the deleted rule may be hanging on in there…

Thank you @tmacgbay for your reply,
there was no rules in stage 0 !
now i added a new rule “undefinedValues” shown below there is no “Detect Undefined” rule anymore !:

Now we have both fields available in the search

Bummer. I had seen rules stay in the pipeline stage when I had changed their name and hopped that this would be a similar issue. More likely someone with better knowledge of inner workings of Graylog will be more helpful than me.

1 Like

You also should check the search manual. :slight_smile:
Graylog will use OR if you don’t do it well.
So you should use " to search for full pattern.
So ‘fild_name:A B’ means field contains A OR message (not message field) contains B.
You need field_name:“A B”

But Previous version I also saw some interesting processing with pipeline. I can’t reproduce it, so I have no evidence, and it was a long time ago, but as I remember, after I remove the pipeline connection it worked as before for a few hours.

1 Like

@chawkimatta

first - you really should update to a more stable version of Graylog. Manny issues you might have with the processing pipelines and many functions are added over time.

as @macko003 already pointed out searching is done wrong. You want to search for the string - you need to tell the search "Detect Undefined" because you want the exact phrase.

https://docs.graylog.org/en/3.2/pages/queries.html <- check the docs.

If I get your message/question right - you could simple check the existence of a field (_exists: pipelineDetection) in the query …

But I would update to the latest version and check if your problem is still given.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.