I wonder if you got answer the following for me.
Is it possible to have a pipeline rule with two conditions similar to below:-1:
when
has_field("EventId","2")
then
<commands to do>
end
when
has_field("EventId","3")
then
<commands to do>
end
The idea would be to do different processing options dependant on the EventId field value.
Or would they need to be separate pipeline rules?
Cheers
Jake
Yes, they would need to be separate.
Hi Jochen,
Can you tell me is there a performance impact on having a large number of rules in a pipeline stage?
For example, I want to set event severity within a pipeline attached to a stream, this would mean 21 pipeline rules for this steam.
Are there any hard limits or does it just means that more processing power is needed?
Jake
Of course there is. Every rule requires some computational resources to be evaluated (first check if the conditions in the when block are true, then execute the body in the then block if they are).
How big the performance impact is, completely depends on your individual rules.
This sounds like something you could solve in a single rule with a lookup table.
http://docs.graylog.org/en/2.4/pages/lookuptables.html
Hi Jochen,
This was my thought as well but i just wanted to explore the other option as I will have some complex pipeline rules to create alerts by setting event severity or fields.
Cheers
Jake
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.