search

Graylog2 / graylog-plugin-pipeline-processor

[DEPRECATED] Graylog Pipeline Message Processor Plugins
https://www.graylog.org/
GNU General Public License v3.0
21 stars 15 forks source link

route to stream doesn't allow remove from "ALL Messages" #221

Open gruselglatz opened 6 years ago

gruselglatz commented 6 years ago

Problem description

If I use this rule:

rule "rewrite source field for LG02"
when
  (to_string($message.gl2_remote_ip) == "xxx.xxx.xxx.xxx")
then
  set_field("source", "LG02_E6000");
  route_to_stream("CMTS Stream");
  route_to_stream("CMTS Alerting");
end

it also routes it to the default stream "ALL MESSAGES" and this replicates the messages to another index set.

It should be possible or the default behaviour to only route the messages in the given streams. Also the Stream stats are broken when you use route_to_stream, this means, even when messages are incomming, it shows 0 messages/second.

Steps to reproduce the problem

see above.

Environment

Graylog 2.3.1+9f2c6ef on syslog.xyz.local (Oracle Corporation 1.8.0_144 on Linux 3.10.0-514.26.2.el7.x86_64)

Pipeline Processor Plugin | 2.3.1

kroepke commented 6 years ago

@gruselglatz nice timing!

I've just pushed code at https://github.com/Graylog2/graylog-plugin-pipeline-processor/pull/220

After review that will be part of 2.4.

Stream stats will be a bit more difficult and might not be part of the changeset (which is why I'll leave this one open for now).