I’m using Graylog 6.1.7 on Debian 12 with DataNode installed on the same machine. server is lxc on proxmox
Problem is when I try to create any pipeline rule I get an error message:
mismatched input ‘then’ expecting {‘(’, ‘[’, ‘{’, ‘+’, ‘-’, Not, ‘$message’, Boolean, Integer, Float, Char, String, Identifier}
This message appears if I add smth to the ‘when’ clause
If ‘when’ clause is empty then there’s no error
How did you create the field_contains condition? I suspect that is causing the problem.
When I add a field_contains clause, it looks like this:
i get the exact same error. I put in field: message and in search: sshd, or anything else and i get this error. Even if i try Field is string on message or full_message.
I am having this same issue with the latest 6.1 docker container. I am be going out on a limb here, but after digging around the graylog2-server repo for a while, I am wondering if some of the migrations are not being ran. In particular, V20230724092100_AddFieldConditions, but looking at the mongo container logs potentially many more?
I don’t see how migrations - and specifically that one - could be at fault:
V20230724092100_AddFieldConditions is run on every startup and simply adds mongo entries, if they are not already present.
You can check in Mongo that they are there; or enable debug logging on the migrations to see which are running.
Clearly something is off - but I don’t think it’s due to migrations.
Something to try: delete all the entries in rule_fragments, so they are recreated.
Gotcha, I didn’t look into Mongo itself yesterday, only logs from the server, datanode, and mongo containers.
I did the following steps today:
rule_fragments from Mongorule_fragments was re-created in MongoAfter messing around a bit more, I realized you just need to restart the stack after first setup to fix the issue 
I had restarted the stack multiple times yesterday, but I was jumping around testing different version and deleting the persistent data each time.
Thanks for your help!
Glad you got it fixed.
Now I’m wondering how the fragment entries got corrupted. What had changed prior to this occurring?
i can confirm that restarting the stack fixed the issue, thanks @khalef
As far as I can tell from my tests, all docker images >= 6.1.0 (including 6.2 betas) have this issue. I didn’t try every single version, but each version I spun up was a fresh install with no data from previous runs. I didn’t got back all the way to 6.0, but there is a github issue I found referencing the same problem in 6.1.1, but not 6.0.