I am about to create pipeline rules, but my when condition is not correct interpreted.
Development environment, no notifications, except for the newer version.
GrayLog Version: 3.2.x
OS: Ubuntu 20.04 LTS in a Hyper-V Environment, 4 cores, 10GB RAM
Message Processors Configuration: Message Filter Chain - Pipeline Processor. AWS and GeoIp deactivated.
This is the second rule in Stage 0, Rule one is working perfectly.
The original when, I wanted to use is the following:
NOT(has_field(“origin”)) && to_long($message.WorkArea_AreaSize) > to_long(lookup_value(“ltables_workareas”, $message.WorkArea_AreaID, 0))
- $message.WorkArea_AreaSize is an extracted field from the Syslog_TCP Input
- ltables_workareas is a lookup table
it seems strange to me, so I did the following:
I added false in the when and it behaved correctly.
Then I added true and wanted to see the result of both conditions:
debug(NOT(has_field(“origin”))); ==> false
debug(to_long($message.WorkArea_AreaSize) > to_long(lookup_value(“ltables_workareas”, $message.WorkArea_AreaID, 0))); ==> false
both debug return false
when I put one of those condition, which are false into the when, it always returns true and jumps into the then
anybody has an idea, what is wrong with my conditions? Or maybe some bug?
Thank you very much for your support