search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.35k stars 1.06k forks source link

from_input does not return true #19407

Open drewmiranda-gl opened 4 months ago

drewmiranda-gl commented 4 months ago

I've never used this function before, but since the pipeline editor defaults to the UI, i thought i'd give the pipeline GUI editor a try.

I cannot get any pipeline rules to correctly return true when i use from_input. I'd tried both the input name as well as the input id.

Using get_field("gl2_source_input") == "" does work.

Example:

image

Pipeline rule:

rule "route for testing duplicating messages"
when
  // get_field("gl2_source_input") == "662017e1cfcecf538d9a72f5z" ||
  from_input( 
    id : "662017e1cfcecf538d9a72f5"
  )
then
  set_field(
    field : "aaatest",
    value : "test"
  );
end

Expected Behavior

from_input returns true if the condition is true

Current Behavior

from_input always returns false.

Possible Solution

Steps to Reproduce (for bugs)

  1. Create a pipeline using from_input using the rule editor tester

Context

Your Environment

Please let me know if there are any questions.

drewmiranda-gl commented 4 months ago

noting this is similar to https://github.com/Graylog2/graylog2-server/issues/15534 , however that issue is from Graylog 5.0 so likely something unrelated.

janheise commented 4 months ago

@drewmiranda-gl I just took a quick peek out of curiosity - I am not that familiar with that stuff: just want to point out that the ids in your example are different. Maybe a copy/paste error? Also the docs state that it has to be a non-forwarder input and the lookup is going via the input registry - so maybe the input you're choosing to test is just a bad candidate? Also, the code has not been touched for a long time so #15534 is likely related. IMHO.

drewmiranda-gl commented 4 months ago

Good observation :) i added a z on the end to make sure it didn't match, but other than the z its the same id.

jrunu commented 1 week ago

I observed this behavior at a customer today as well. The customer was using a rule with just a from_input() that was processing (live) messages. Copied message from the very input were not matching in the rule simulator.

(For context: In our rules we usually match against gl2_source_input the way @drewmiranda-gl suggested)