I am new to Graylog but so far I love it!!! I tried to follow some other users examples but what I am trying to do is super simple. I don’t need to know about events that contain the text “Blocked by AAA” so I made a pipline to apply to all message and a rule that tells it to drop the message. It’s not working-is there something I am missing? Here is the rule:
rule “AAA”
when
contains(to_string($message.msg), “Blocked by AAA”)
then
drop_message();
end
Hi,
the default name for the message field is message ($message.message). Is the value you’re interested in actually in a field called msg?
I’m not sure wether to_string or contains would throw an error in this case. But its worth checking the graylog server log.
The rule is not matching at all, right?
Also @stevemg7 have you tried using the simulator to see the message does in fact, get dropped? If not, that’s your best bet–I usually keep the pipeline simulator open on one window or tab, and the pipeline IDE open on another.
That is great-yes, I had the message field name wrong-I fixed it and all is well now! Thank you so much for the response!!!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
