I have pipeline rule created in graylog to give alert to rule level higher that 11. but still i am getting alert for image loaded alerts why?

gsmith (GSmith) November 21, 2023, 4:25am 2

Your when statement try something like this…

when
contains(to_string($message.rule_group1), "windows")
then

You can add debug to your pipline to see whats going on then check you Graylog log file

 debug();

Maybe this might help

Topic		Replies	Views
Dropping messages using Pipelines Graylog Central (peer support) pipeline-rules , debuggingpl	4	6792	August 2, 2019
Rule does not work as expected Graylog Central (peer support)	8	1725	July 12, 2017
Problem with pipeline rule Graylog Central (peer support) pipeline-rules	1	382	September 9, 2020
Pipeline Rules - Exact Match on Field Graylog Central (peer support) pipeline-rules	5	5050	June 6, 2018
Pipeline rules from example broken (back-to-basics-enhance-windows-security-with-sysmon-and-graylog) Documentation Campfire	5	455	March 25, 2022