Is there a way to inspect a pipeline rule’s variables while creating or running/testing it? List of variables that should always available to it or that are available at a given time? Description of what all $message object is guaranteed to hold? Ability to, say, console log when executed or dump $messages object?
Ex. I am wandering around in the dark and have conclude that neither $message nor any of the fields I expect to see are available to me in the pipeline rule. I know the rule executes, bc when I introduce an error, I see the error in the message fields.
Here’s my current method:
rule "parse event timestamp" when true then // let new_date = parse_date(to_string($message.time), "Y-M-d'T'H:m:s Z"); // let new_date = parse_date("2017-11-13T22:12:07 +0000", "Y-M-d'T'H:m:s Z"); let new_date = parse_date(to_string("blargh"), "Y-M-d'T'H:m:s Z"); set_field("timestamp", new_date); end
- I get the invalid string format “” message with the hardcoded “blargh” string.
- I get a proper value, and the parsed and replaced time overrides the log message’s timestamp in Graylog with the hardcoded date string
- I get the invalid string format “” message with the $message.time reference
- The rule doesn’t run if instead of
trueI specify has_field(“time”) or any other field I see in:
Does this additional context help explain what I’m hoping to see (like console.log($message) like capability) in my question at the top of this essay?