Hi @Joel_Duffield,
thank you for your answer. I am not fully sure, if I understand you correctly. Are you saying that my WHEN-condition with the grok() does not work, as I might expect it? The messages get parsed as I want them to - so it must return true - for the wrong reasons, you are saying?
when
grok(
pattern: "^%{DATA:device_name} \\[%{DATA:firewall_rule}\\] DESCR=\"%{DATA:rule_description}\" IN=%{DATA:interface_in} OUT=%{DATA:interface_out} MAC=%{GREEDYDATA:mac} SRC=%{IP:source_ip} DST=%{IP:destination_ip} %{GREEDYDATA:type_of_service} PROTO=%{WORD:network_transport}(?: (?:SPT=%{NUMBER:source_port}|DPT=%{NUMBER:destination_port}|%{GREEDYDATA:other}))*",
value: to_string( $message.message )
).matches == true
...
I got this from here: Reddit: How can I use IF/ELSE in the THEN section of a pipeline rule?
Did I understand you correctly that grok_exists() is not a function to be used in WHEN-conditions?
Thank you for clarification.
Chris
EDIT:
I have seen your recommendation on key-value here: Grok Pattern in Pipelines - #2 by Joel_Duffield
Would you use a Grok-pattern to get the first two objects and then use a key-value-function to get the rest? Then I would have to drop or rename certain fields. Would this be more efficient?