I downloaded the latest development graylog via the graylog-project tool (2.4.)
I have created the following rule which does not seem to be firing. No errors are in the logs. But the pipeline and Stage 0 are showing Throughput.
rule "Test Rule"
when
has_field("ip_orig_h")
then
set_field("test", "testing");
end
My logs in the stream show the field ip_orig_h, but I do not see the new test field.
did you check with a debug function if the rule is actually used?
http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#debug
No I have not tried the debug function. I assume I would just include the debug function the the then part of the rule. I am running the backend server in debug mode. Also I know the rule works, because it fires in our production environment and I am using the same logs in my dev environment.
After changing the rule to have a different when condition… I can see the debug firing. And I see my test field in my logs. Thanks for the help. It seems that some of my extractors on inputs may need to be changed so I get my desired field.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.