Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
I created rule to write a sessionID from the message to the lookup table - this works great, then I created rule to delete sessionID from the lookup table based on message that indicates that the session ended, this works, but only if the messages are more than 3 seconds away from each other.
Example: I get Logon message with timestamp 2024-01-17 14:05:13.523 and I get Logoff message with timestamp 2024-01-17 14:05:13.529
- and so the sessionID is written but not deleted. I think because messages are too close and when the Logoff message comes, the sessionID from Logon message is not written yet.
Is there a function or a way how to postpone logoff messages or some kind of delay?
I tried minutes(5) for example but it didn’t work
Any help will be appreciated, thank you very much
2. Describe your environment:
-
OS Information: Ubuntu 20.04.6 LTS
-
Package Version: Graylog 5.0.8
-
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
I tried to use function minutes(value) but didn’t help
I also tried to make it in two standalone pipelines(write and delete rule) but didn’t help
4. How can the community help?
I wil appreciate any tips on how to solve this.
Thank you very much
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]