I made two rules and if they are at one stage then everything works, if I put one rule into another stage, then it does not work.
Is this true or am I doing something wrong?
i have to make a new Pipeline?
Please post your pipeline configuration.
I only guess, but you probably put 2 pipeline rules to stage and setup:
Continue processing on next stage when: At least one of the rules on this stage matches the message
This way, both of rules are evaluated, but if you put one to another stage, it’s not working. So your condition in rules are wrong. Please put your configuration, so we can help…
Hi, shoothub!
rule "timestampEND"
when
has_field("Category") AND contains(to_string($message.Category), "Process Termination")
then
rename_field("timestamp", "timestampEND");
end
And
rule "timestampSTART"
when
has_field("Category") AND contains(to_string($message.Category), "Process Creation")
then
rename_field("timestamp", "timestampSTART");
endYou created it correctly, if you put both of rules in one Stage. This way both of them are evaluated, and works (if you setup Stage as: At least one of the rules on this stage matches the message = logical OR)
If you try to put one of the rule to another stage is isn’t working, which is OK, because graylog only run another stage, if lower stage pass, so it’s like a tree. It works as:
If Stage0 pass (one of rule match, or all of rules match - depends on configuration of Stage), then continue to Stage1 etc.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.