I have apache logs coming into Graylog. In these logs is a log entry message coming in every 5 seconds and it has the word OPTIONS in it. I want to drop these message and not index them. I created a pipeline and a rule, but doesn’t appear to be working.
I can do a simple search: message:OPTIONS and I see the messages. So I created a rule and assigned to the stream:
rule “Drop Apache Noise”
contains(to_string($message.message), “OPTIONS”, false)
Doesn’t work, still got messages coming in and getting indexed.
Am I close?