Hello,
I am testing Pipelines and created the below Rule “Detect Undefined” and Pipeline which is connected to “All messages” and when i search for the rule name in All messages i get results The issue is when i deleted the Rule “Detect Undefined” and the Pipeline i am still getting results when searching for “Detect Undefined” in the last 5min! is that normal ? why should i remain getting these messages after an hour of pipeline and rule deletion? (the rule is satisfied and there is an Undefined string in the message).
But the rule is deleted ! and should not be running anymore…
Here is a screenshot after deleting the pipeline and rule(field pipelineDetection was set in the rule shown below)
Thank you @tmacgbay for your reply,
there was no rules in stage 0 !
now i added a new rule “undefinedValues” shown below there is no “Detect Undefined” rule anymore !:
Bummer. I had seen rules stay in the pipeline stage when I had changed their name and hopped that this would be a similar issue. More likely someone with better knowledge of inner workings of Graylog will be more helpful than me.
You also should check the search manual.
Graylog will use OR if you don’t do it well.
So you should use " to search for full pattern.
So ‘fild_name:A B’ means field contains A OR message (not message field) contains B.
You need field_name:“A B”
But Previous version I also saw some interesting processing with pipeline. I can’t reproduce it, so I have no evidence, and it was a long time ago, but as I remember, after I remove the pipeline connection it worked as before for a few hours.
first - you really should update to a more stable version of Graylog. Manny issues you might have with the processing pipelines and many functions are added over time.
as @macko003 already pointed out searching is done wrong. You want to search for the string - you need to tell the search "Detect Undefined" because you want the exact phrase.