I am currently trying to setup streams to have my messages sorted into categories.
If i create a stream which just uses a rule on the “message” field using “contains” it does work correctly from the moment i started it.
If i use another field (“application”) (that field was specified in a collector configuration as an additional field) the stream won’t ever get a single message routed into it. Using the search with the same arguments i see hundreds of messages coming in per minute. I tried the “match message against stream” function and that shows green for all the messages as well. Even the “xx messages/seconds” on the stream overview page is going up the same amount than the stream just matching the “message” field. There are no errors in the server log…
Then i did another thing: Created a stream which matches on “message” contains, that worked perfectly. I then added another rule matching on my “application” field and then removed the first rule matching on “message”. Than that stream worked perfectly. Resulting in two streams with the exact same configuration, the one which was modified is getting messages, the other one not. Both are green on the “match message against stream”.
I really don’t understand this and it makes no sense. It seems like some streams only start working after some time is over, some never get working at all.
Is there any additional information i could supply to you on helping me with that question?