Hello,
ive just started with graylog and dont understand the pipelines concept.
My streams:
All messages - default index set
FW messages - dedicated FW index set, Remove matches from ‘All messages’ stream
Pipelines:
“Add recieved timestamp”, connected to “All messages stream” with 1 rule:
rule "set receivedat with now"
when
true
then
set_field("receivedat", now());
end
“FW cleanup”, connected to “FW messages stream” with two rules:
rule "empty message"
when
has_field("message")
then
set_field("message", "");
end
AND
rule "remove level field"
when
has_field("level")
then
remove_field("level");
end
Config:
Graylog 2.4.3+2c41897
Order
Processor
1
Pipeline Processor
2
GeoIP Resolver
3
Message Filter Chain
Problems
receivedat field is applied also on “FW messages” stream. Im expecting no receivedat on FW messages.
No throughput and changes on “FW cleanup”. Simulation reveals only level field change. In fact FW logs returns empty “NOT exists:level” query and message field is still there.
The assignment of a message to one or many streams happens in the StreamFilter which is part of the “Message Filter Chain”.
So when your pipeline rules are running, the messages haven’t been assigned to any stream yet.
You can either change the order of message processors in your Graylog cluster or explicitly use the route_to_stream() function in a pipeline rule to assign a message to a stream.