jalogisch
commented
5 years ago it might be that the . in the field name is the problem - as we do not allow dots in field names.
BUT we need to verify that.
Closed maxstoyanov closed 1 year ago
jalogisch
commented
5 years ago it might be that the . in the field name is the problem - as we do not allow dots in field names.
BUT we need to verify that.
maxstoyanov
commented
5 years ago I tried that but no change. I'll try to isolate the problem as soon as possible. (But will take a while due to different project priorities.)
patrickmann
commented
1 year ago @maxstoyanov reports that the issue is no longer reproducible in more recent versions of GL. Additionally, we now automatically replace a "." character in the field name with "_".
Expected Behavior
Changing the referenced grok expression should alter the result of my pipeline.
Even replacing
set_field("original_message", message_field);withset_field("event.original", message_field);does not change the result.Current Behavior
Old version of pipeline and grok expression are used even after reboot.
But adding the debug statement works as expected.
Steps to Reproduce (for bugs)
I know reproducing a bug is essential but I currently lack the time to build a separate instance from scratch and start testing there. So this only "works" on my instance:
Context
I have logs from my firewall (Cisco ASA) coming to Graylog with an UDP Raw input. Messages based on source ip are rerouted to a dedicated stream (and index set). The stream has a pipeline for message processing attached. I already used a version of this pipeline and started to adjust fields to adhere to the Elastic Common Schema.
Message Processor Configuration is:
Your Environment