ive just started with graylog and dont understand the pipelines concept.
- All messages - default index set
- FW messages - dedicated FW index set, Remove matches from ‘All messages’ stream
- “Add recieved timestamp”, connected to “All messages stream” with 1 rule:
rule "set receivedat with now" when true then set_field("receivedat", now()); end
- “FW cleanup”, connected to “FW messages stream” with two rules:
rule "empty message" when has_field("message") then set_field("message", ""); end AND rule "remove level field" when has_field("level") then remove_field("level"); end
|3||Message Filter Chain|
- receivedat field is applied also on “FW messages” stream. Im expecting no receivedat on FW messages.
- No throughput and changes on “FW cleanup”. Simulation reveals only level field change. In fact FW logs returns empty “NOT exists:level” query and message field is still there.