Stream does not write records to new index

david81 · January 24, 2024, 9:28am

Hello,
I created a new index under Graylog

I created the input as follows with an additional static field “log_type:wazuh”
The static field “log_type:wazuh” is also included in incoming messages.

Now I have created a stream that should write the incoming messages with the field “log_type:wazuh” to the index “wazuh”. For this purpose, I added the corresponding rule to the stream. Unfortunately, the incoming messages are still written to the default index

Where is my mistake?

Thanks
David

gsmith · January 26, 2024, 3:31am

Hey @david81

Not sure what going on with route to stream. If you referring to default stream “All Messages” ( Default) I personally would use a pipeline , attach it to default stream, point it to stream called " Wazuh".

rule "route to stream wazuh"
when
    has_field("log_type")
then
    route_to_stream(id: "64f6f1dba00f8f218c010726", remove_from_default: true);

david81 · January 26, 2024, 8:01am

Thanks @gsmith this soloution works for me

system · February 9, 2024, 8:02am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
After import of extractor no fields show in stream Graylog Central (peer support)	14	2010	April 24, 2018
Adding a new extractor field to an existing index Graylog Central (peer support)	3	1104	September 12, 2018
Can not create new Extractors Graylog Central (peer support)	4	999	April 25, 2019
Unable to create new extractor Graylog Central (peer support)	2	1098	July 25, 2018
Pipeline Rules to replace Extractor? Graylog Central (peer support) pipeline-rules	2	2889	March 13, 2017

Stream does not write records to new index

Related Topics