Hello,
I have a message log that is routed to multiple streams without deleting it from “All messages” in order to perform alerts and some other analytics filtering…
The issue is that when we search for the log w get it duplicated, for ex the log below is showing 3 times because its available in 3 streams (i have more than 10 stream)
*is there a way to exclude all streams other than “All messages”? to get unique logs ?
*can we check what are the streams we have after performing a query in “All messages” in order to exclude them ?
I started from the other side, and I think you will get your answer.
So If you store one message in multiple streams, with different index sets, the GL will store the message in multiple times. So if you search, you got all messages.
Use one index set for your 3 different streams.
OR Start the search from streams way, and you will see only one message when you start to search.
Thank you @macko003 for your reply
you are right,
both critical streams shown in the snapshot, are on a index with prefix “critical_alarms”
and “All messages” stream is on another index with prefix “graylog”
what we can do here is excluding the index starting with “critical_alarms” while searching “All messages”
you would select only the specific streams you want to search in and do not use the only for admins possible search across all streams. This will allow to get only the results that are inside this stream and the index set that is the base for this stream.
Hi @jan
Acctually we need to have all messages in one place and we are using the other streams for alerts filtering.
so the main debugging stream is the “All messages”…
that would be great if !index:critial_alarms* works…
