Route_to_stream with custom index

Graylog Central (peer support)
,
1

Graylog v2.5.1+34194da

I have a stream called auditd using index set auditd.
Pipeline processor is after Message Filter chain in the configuration
I have a pipeline rule with
route_to_stream(name: “auditd”, remove_from_default: true);

Message says it was routed to stream auditd but the message is stored in the default index so it is not searchable in the stream.
Stored in index
graylog2_511
Routed into streams

I would like the message to be routed to stream auditd and be searchable in the stream. Is this possible?

Thanks.

2

I would use not the name of the stream (as this can be used multiple times) but the UUID instead. That just as first.

Second I’m not sure if the function in 2.5.1 already had the option “remove from default” so it would be save to use the remove_from_stream function in addition and remove the 000000000000000000000001 stream

3

Decided to try your suggestions one at a time. Simply changing the name of the stream to the id did the trick! Thanks so much Jan!

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.