I’m currently trying to get alerted on a field that is added by a pipeline stage such as this:
rule "extract error level"
when
true
then
let fields = regex(".* (ERROR|INFO|WARN|DEBUG) .*", to_string($message.message),["severity"]);
set_fields(fields);
end
As you can see the rule adds a field “severity”. Looking at the specific stream the pipeline is connected to the field is there and contains the right value. However, when I set up an alert condition (a simple field value condition for “serverity:ERROR”) I never get notified. Seems the alert condition doesn’t see the severity field added by the pipeline. Is this the expected behavior? Could someone explain please? Thanks!
as already stated the alert condition is a field value condition. The alert is triggered when messages matching severity: “ERROR” are received. Grace period: 0 minutes. Including last 35 messages in alert notification. Configured to repeat notifications.
Examples for log messages within the connected stream:
[0me[0m14:57:00,000 INFO [de.newsaktuell.mb.de.schedule.orderce.OrderCreatorExecutorScheduledMDB] (EJB default - 1) OrderCreatorExecutorScheduledMDB triggered
[0me[31m09:48:16,385 ERROR [de.newsaktuell.mb.jee.commons.AbstractQuartzScheduledMDB] (EJB default - 6) Error while execute scheduled command: de.newsaktuell.ordercore.helper.procevent.OrderCreatorExecutorCommand@5f6345e2: java.lang.RuntimeException: Error while executing ProcEvent
[0me[32m11:16:51,695 DEBUG [org.jboss.as.config] (MSC service thread 1-2) Configured system properties:
So as you ask I guess that it should work normally, right? I was not sure if this is supposed to work as both the alert as well as the pipeline are connected to the same stream so the issue might be related to the wrong processing order somehow.
here is a more complete example of a typical error log entry. It was taken from an application specific stream that is derived from the “all messages” stream by filtering it for source == “/mbprocessing_application_1”
Please note that the severity field was extracted from message field and added by the mentioned pipeline rule after the log message intially appears to the application specific stream. So for me it seems the pipeline processing is some kind of post-processing that results are not visible to alerting. Hope you can correct me here and prove me wrong.
Are you sure that there isn’t just an already triggered alert which isn’t repeated (new option in Graylog 2.2.x) and that there in fact is a alarm callback configured for that stream?