Pipeline source name change not sticking

uclnj · June 18, 2018, 12:54pm

I have two pipelines to change server names - I can watch the Graylog log file showing the source name being swapped

but when I view look at the search results, the source name is back to “brunswickxtm”

however an identical rule for another firewall works and the source name change is reflected in the search results.

Rule that works

rule "Email AFS"
when
  to_string($message.source) == "EMAILAFS"
then
  set_field("source", "WatchGuard M300");
end

Rule that doesn’t work.

rule "BRXTM"
when
  to_string($message.source) == "BRUNSWICKXTM"
then
  debug($message.source);
  set_field("source", "WatchGuard XTM26W");
  debug($message.source);
end

The debug messages trigger when watching the log.

uclnj · June 18, 2018, 12:57pm

I took a chance, deleted the second pipeline and added the name swap as a secondary rule under the first pipeline and it began to work. Not sure if that is in the docs but hell if I could find it.

system · July 2, 2018, 12:57pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Change source name PIPELINES Graylog Central (peer support)	6	2134	November 29, 2019
Replacing the Name in the Source Field Graylog Central (peer support)	6	6356	November 8, 2019
Change source name through pipeline example? Graylog Central (peer support) pipeline-rules	9	7506	June 20, 2018
Rename fields "source to "DC_Name" Graylog Central (peer support)	3	786	December 20, 2022
Pipeline to convert source IPs into hostnames is not applied Graylog Central (peer support) pipeline-rules , basic-configuration	14	2228	March 24, 2022

Pipeline source name change not sticking

Related topics