I’m simply trying to see if a field is not equal to 0, and I’m failing spectacularly, much to my frustration. This is my code:
rule “alert on rsync failures”
when
has_field(“qa_node_num”) AND to_long(“qa_node_num”) != 0
then
set_field(“alert”, “1”);
end
I thought this should be pretty simple, but I’ve now tried about 6 permutations of the ‘when’ section, and either it matches on any number including 0, or never at all. It has to be something simple I’m missing here.
You’ve almost got it right. 
Accessing the contents of a message field works with $message.name_of_field, for example $message.qa_node_num.
Also see http://docs.graylog.org/en/2.4/pages/pipelines/rules.html#rule-structure.
rule "alert on rsync failures"
when
has_field("qa_node_num") AND to_long($message.qa_node_num) != 0
then
set_field("alert", "1");
end
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.