as title says, how to create new message, set this message with new fields, then route this message to a stream in pipeline rules?
could you please help to give me a example?
hej @quguilai
could you please add some words describing what you like todo.
- would you like to add some new information to a message?
- would you like to split up some message content into different fields?
Did you already read the back to basic blog postings with some pipeline rules given?
You can use the route_to_stream and the set_field/set_fields functions for this.
See http://docs.graylog.org/en/2.2/pages/pipelines.html for general information and examples for the processing pipelines.
@jan, jochen, thanks so much for your quick response
please see my pseudocode rule below, I want to create a new message named msg which field value come from the incoming $message field, and at last I want to route new msg to “syslog model stream”, could you please give a real rule it based on the below pseudocode rule?
rule "syslog model rule"
when
$message.type == "SyslogType"
then
let msg = create_message();
let ip=$message.address;
let host_name=$message.host;
let passwd=$message.passwd;
let check_result=$message.status;
......
//set field to msg
set_field("account",msg.account);
set_field("ip",msg.ip);
set_field("host_name",msg.host_name);
set_field("passwd",msg.passwd);
set_field("check_result",msg.check_result);
........
route_to_stream("syslog model stream", msg);
end