i am 3 days into graylog so be kind-
in a pipeline rule i am trying to create a field and set a value to a string
for example:
set_field(“env”, “MyString”);
does not work… i am missing some trickery here ?
note: “MyString” is not part of a message its simply a value i want to add on a condition.
Please provide the full rule as an example.
Sure.
rule “myrule”
when
true
then
set_field(“myfield”, “mystring”);
end
I expect a new field “myfield” with a string value of “mystring” inside…
Many thanks
set_field(“myfield”, “mystring”); is definitely correct syntax.
Are you sure that this rule is being run against messages?
All of my rules have a proper conditional check within the when section so, unsure about that in yours.
yeah i merely added “true” as an example. but for sure even the example does not work for me in 3.0.2 (no field created)…
I will go back and mess around again, but i am pretty sure this wasnt working.
How have you got your processing configured?
System > Configurations > Message Processors Configuration
I believe the processor order is correct because if i set the following it works
rule “myrule”
when
true
then
set_field(“myfield”, true);
end
Ah, maybe you are running into a mapping error within ES…
Maybe your ES is expecting the ‘myfield’ field to store a Boolean datatype so, when GL is attempting to write in a String value, ES is giving an error.
Maybe check your ES logs and check field mappings in your ES cluster…
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
