I’m trying to setup a separate stream with less information for a specific technical api user.
rule “clone_message_to_reroute_stream_C2S_C2Svp”
when
has_field(“service”) &&
contains(to_string($message.service), “C2S_C2Svp”)
then
let x = clone_message();
route_to_stream(id: “603fa731e859696e66878829”, message: x);
end
As you can see, the rule is pretty simple and applied in last stage.
The stream has a custom index and is started, but doesn’t has any rules applied.
Since you’re not also specifying to remove the cloned message from the default stream, have you checked for the duplicate message there? Is it successfully cloning?
I made some strange progress. I’ve changed the when clause to when true and also to a more specific field and with that, the CPU usage explodes and I wasn’t even able to fix the rule, because the web ui was unusable. No documents were written at all to elasticsearch. I’m not sure what graylog is doing during the CPU peak.
After changing the rule from contains(to_string($message.source"), “DEFRAFW09”) to something which won’t match in the mongodb, the performance is back to normal.
Just for the notes, if someone else is also interested: db.pipeline_processor_rules.update( { “_id”:ObjectId(“603fa988e859696e66878ab8”) }, { $set: { source: “rule “clone_C2S_C2Svp_message”\nw
hen\n// has_field(“service”) &&\n// to_string($message.service) == “srv_S-C2S_C2Svp”\n has_field(“DEFRAFW09”)\nthen\n let x = clone_message(
);\n route_to_stream(id: “603fa731e859696e66878829”, message: x, remove_from_default: true);\nend” } } )
Throughput is currently around 4k msg/s on the attached stream. And around 1/4 would match the source pattern.
Is the clone_message + route_to_stream combination such a performance issue?
I found the issue. The pipeline rule was connected to a stage, which wasn’t reached by this specific message.
It seems, that I had a misunderstanding with the staging processor. I thought, that a message goes through all stages, even if it doesn’t match a previous stage.
