New fields' visiblity to field test functions in same stage


(Charles Deng) #1

I found that newly created field not visible to field test functions(such has_field and is_null/is_not_null) in same stage, but it is available to set_field function, is this a design behavior or bug(although i have reported a bug for this: https://github.com/Graylog2/graylog2-server/issues/4693) ? i have create a pipeline as following:

stage 0 match either
	rule "Test visibilty 1";
	rule "Test visibilty 2";
	rule "Test visibilty 3";
	rule "Test visibilty 4";
	rule "Test visibilty 5";

rule "Test visibilty 1"
when
	true
then
	set_field("x_1","111");
	set_field("y_1",to_string($message.x_1));
end

rule "Test visibilty 2"
when
	has_field("x_1")
then
	set_field("x_2","222");
	set_field("y_2",to_string($message.x_1));
end

rule "Test visibilty 3"
when
	not has_field("x_1")
then
	set_field("x_3","333");
	set_field("y_3",to_string($message.x_1));
end

rule "Test visibilty 4"
when
	is_null($message.x_1)
then
	set_field("x_4","444");
end

rule "Test visibilty 5"
when
	is_not_null($message.x_1)
then
	set_field("x_5","555");
end

and input message, we will got:

image


(Charles Deng) #2

more test shows that all evaluation against message fields in “when clauses” of rules are against the status of message field before that enter the stage where the rules in. and the status of message fields in the “then clauses” of rules are moving forward following those actions.

for example, following pipeline

pipeline "test field scope"
stage 0 match all
	rule "set y=y and z=z";
stage 1 match either
	rule "if y==y then z=zz";
	rule "if z==zz then z=zzz";
end

rule "set y=y and z=z"
when
	true
then
	set_field("y","y");
	set_field("z","z");
end

rule "if y==y then z=zz"
when
	$message.y == "y" 
then
	set_field("z","zz");
end

rule "if z==zz then z=zzz"
when
	$message.z == "zz" 
then
	set_field("z","zzz");
end

get result: y=y, z=zz instead of y=y, z==zzz.


(Jochen) #3

For reference:


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.