Hi All,
I have just set up a new index and new stream as I need to route some windows logs differently and apply a different retention period.
What I set up is fine but I now see that the one log is going to two streams as it meets both rule sets. Whats the best practice to avoid this as I need it to only go to the newly configured stream, not the old one but the old one should remain functioning as it currently is.
Thanks,
I have added a “not contain” rule to the original stream which has resolved it for now but doing this too much could result in very unclear rule sets and make it difficult to manage. Is there a better way?
Use the processing pipelines to route your messages into different streams and not the stream rules.
This way you do the processing and routing in the same place.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
