I was working on changing a pipeline rule for better processing. I changed the conditional statement from
has_field("winlogbeat_source_name") AND NOT contains(to_string($message.winlogbeat_source_name), "Microsoft-Windows-Sysmon")
has_field("winlogbeat_source_name") AND NOT to_string($message.winlogbeat_source_name) == "Microsoft-Windows-Sysmon"
Rule was accepted syntactically by the pipeline rule creation. As soon as I implemented I got thousands upon thousands of the following messages from the graylog server:
2018-09-13T19:22:14.630Z WARN [ProcessBufferProcessor] Unable to process message <52249861-b78a-11e8-8744-0adf684f2f04>: java.lang.ClassCastException: org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression cannot be cast to org.graylog.plugins.pipelineprocessor.ast.expressions.LogicalExpression
I cannot figure out what is wrong with my syntax because I have another very similar conditional statement that is working fine. The only difference in the two similar ones is this is using
AND NOT. The other one is using
AND. Is this a bug or am I just missing something?