I am trying to create a rule that indicates how many users are currently connected to a server.
The message processors are in the following order: Message Filter Chain-Pipeline Processor-AWS Instance Name Lookup-GeoIP Resolver.
There is one stream called login_user for me, and only the ‘new session’ log goes into it.
Now here are the conditions!
When a log containing the string ‘Remove session’ comes into ‘All messages’ stream, the session number should be extracted from the log.
After that, you need to find the ‘New session’ log in the ‘login_user’ stream that matches the session number of ‘Remove session’ and delete it.
This is the rule I want, but it may be difficult to satisfy the condition.
If so, I would like to be able to at least delete any one log from the ‘login_user’ stream without extracting the session number.
These are the rules I’ve made up a bit.
rule "Remove_Messages" when contains(to_string($message.message), ("Removed session")) then remove_from_stream("login_user"); end
This rule simply deletes the log containing ‘Remove session’ from the ‘login_user’ stream.
I also don’t know how to delete a specific message using the ‘remove_from_stream’ function.
I definitely don’t understand the pipeline, and I don’t have the skills to solve this problem.
I desperately need help now. 8ㅁ8