Writing/Debugging/Troubleshooting Pipeline Rules in Graylog

(Bronius Motekaitis) #1

Is there a way to inspect a pipeline rule’s variables while creating or running/testing it? List of variables that should always available to it or that are available at a given time? Description of what all $message object is guaranteed to hold? Ability to, say, console log when executed or dump $messages object?

Ex. I am wandering around in the dark and have conclude that neither $message nor any of the fields I expect to see are available to me in the pipeline rule. I know the rule executes, bc when I introduce an error, I see the error in the message fields.

Here’s my current method:

rule "parse event timestamp"
//    let new_date = parse_date(to_string($message.time), "Y-M-d'T'H:m:s Z");
//    let new_date = parse_date("2017-11-13T22:12:07 +0000", "Y-M-d'T'H:m:s Z");
    let new_date = parse_date(to_string("blargh"), "Y-M-d'T'H:m:s Z");
    set_field("timestamp", new_date);
  • I get the invalid string format “” message with the hardcoded “blargh” string.
  • I get a proper value, and the parsed and replaced time overrides the log message’s timestamp in Graylog with the hardcoded date string
  • I get the invalid string format “” message with the $message.time reference
  • The rule doesn’t run if instead of true I specify has_field(“time”) or any other field I see in:

Does this additional context help explain what I’m hoping to see (like console.log($message) like capability) in my question at the top of this essay? :slight_smile:


Searching imported logs by log timestamp, not time Graylog received the log
(Jochen) #2

There’s an (undocumented) function called debug() which does exactly that:

Print any passed value as string in the graylog-server log. Note that this will only appear in the log of the graylog-server node that is processing the message you are trying to debug.

(Jochen) #3

For reference:

(Bronius Motekaitis) #4

Excellent - perfect :slight_smile: Some notes for other wayward implementers:

  • debug(<str>); can be inserted anywhere in the rule. If the string is empty, you get a helpful stock message in log PIPELINE DEBUG: Passed value is NULL.
  • Tip: insert marker debug like debug('Hello world'); to confirm stars’ alignment in the universe
  • Output to Graylog log means /var/log/graylog/server/current (at least on ubuntu) on the Graylog server. See and watch its output with tail -f

Thanks for sharing this great solution. I’ll post my more informed, real question in another, specific new thread :slight_smile:

(system) closed #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.