Remove matches from All messages stream

RochonC · November 2, 2017, 12:23pm

Why is the option ‘Remove matches from ‘All messages’ stream’ not checked in the 4 OOTB streams: nginx HTTP 404s, nginx HTTP 4XXs, nginx HTTP 5XXs, nginx requests. Does this means that for one input message, it’s now found in All messages AND depending on the message values & rules evaluation, could be found in one of the streams: nginx HTTP 404s, nginx HTTP 4XXs, nginx HTTP 5XXs, nginx requests ?

For example, if the input message contains:
• Field source = nginx
• Field response_status = 404

…will the message be found in 4 streams: All messages, nginx HTTP 404s, nginx HTTP 4XXs, nginx requests ? Is this 4 copies of the same input message ending up in the ‘Default index set’ ?

jochen · November 2, 2017, 4:46pm

Yes, exactly.

No.

Please refer to http://docs.graylog.org/en/2.3/pages/streams.html and http://docs.graylog.org/en/2.3/pages/configuration/index_model.html for information about streams and the underlying index model used by Graylog.

RochonC · November 2, 2017, 7:27pm

Thanks for your reply. If I got it right, the ‘Remove matches from ‘All messages’ stream’ option becomes handy when the stream(s) where a message end up in, uses a different ‘index set’ than the ‘Default index set’ and we don’t want the message written in both index set.

system · November 16, 2017, 7:28pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Streams and default index set Graylog Central (peer support)	3	197	January 16, 2024
Stream displays messages from another index Graylog Central (peer support)	5	36	November 11, 2024
Duplicate logs/messages Graylog Central (peer support)	7	3115	July 30, 2019
Streams and Indicies Graylog Central (peer support)	2	278	March 25, 2019
Remove duplicate messages from all_messages Graylog Central (peer support)	2	2494	March 6, 2018

Remove matches from All messages stream

Related topics