1. Describe your incident:
I currently have two streams which each use a separate index. Lets call these streams A and B:
- A is a stream which does not have any rules, hence any message received is stored in its index
B is a stream which has a rule defined on
level: only messages with a
levelsmaller than 6 are accepted by this stream. Hence the messages in B’s index form a subset of those of A.
Now, I perform a search with having B explicitly selected. I would now expect that only the messages stored in B’s index show up in the results. However for some messages both a result from A’s index as well as B’s index is returned, resulting in a duplicate message in the message table.
As a concrete example, consider the images below. Sensitive information is redacted and color-coded where necessary for illustration.
In this example A is the top Stream. The rule present is a necessary field to make sure it originates from a correctly configured application server. B is the Anomalies stream at the bottom.
In the image above I would want only results of the Anomalies stream, as is shown in the top right. Although the red result is only shown once in the message table, both the blue and green messages are shown twice.
For both green and blue, one of the results is saved within the Messages index set and the other in the Anomalies index set.
2. Describe your environment:
OS Information: Ubuntu 20.04 LTS
Package Version: Graylog v4.1.9+bb3e2e8
3. How can the community help?
I was wondering whether this phenomenon is known to other people, and whether there is a way to solve this issue. Moreover if this is due to invalid configuration I would also be happy to know so we can improve our Graylog usage. Feel free to request other information if necessary to help me solve this issue. Thanks in advance!