I am trying to match regular expression with logical OR for value expression but it does not work.
Any ideas?
Thanks for answering
unfortunately (30|31) didn’t work
It seems that when i load a message id and test the rules it works but on realtime log streaming it does not work
I have a pipeline rule:
rule “split_timestamp”
when
true
then
let ts_second = $message.timestamp.secondOfMinute;
end
and then on stream rules i have message expression for field second (30|31)
on test it works but on realtime stream it does not.
what is your processing order? When you match a field in the stream rule that is created in the processing pipelines - that might run after the stream rules, it will not match.
You should use the pipeline routing or change the processing order.
Message Processors Configuration:
Pipeline Processor
Message Filter Chain
GeoIP Resolver
I stopped to battle against that. I’m doing the routing directly inside the pipeline, at least it’s clear where it’s done.
Ok thanks,
I follow your advice and i think i have done my job
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.