Support parameterization of stream references

[miwent]

What?

Add the ability to create a parameter that refers to a stream or set of streams anywhere stream selection is allowed - pipelines, dashboard widgets, event/alert, definitions, or in the search window.

During content pack installation if the stream parameter does not exist, it should be created but with a null value; otherwise it should use the existing value.

Why?

This would allow for the creation/delivery of content that is not dependent upon existing stream objects but is something that can be configured by the installer without requiring effort to reconfigure stream settings.

This would also accelerate adding of new data where the stream parameter could be updated, causing a new data source to processed by existing content without requiring that every single content item be updated to use the new source.

Your Environment

• Graylog Version:
• Elasticsearch Version:
• MongoDB Version:
• Operating System:
• Browser version:

[miwent]

One additional note about the proposed functionality, if a search item (dashboard widget, etc.) is scoped to an empty alias I believe it should:

• Have a visual cue - possibly a font change, or color change indicating that the stream "alias" is null
• return no results, which is different than the normal operation when no stream is identified

[williamtrelawny]

Just got a customer requesting this functionality: HS-1778204562:

We have started using Content Packs to centralize work across our multiple environments, each one has its own Graylog server. Our servers consist of various dashboards, events definitions, streams, and notifications. Currently, we are seeking more details about Content Packs w/ Event Definitions and Streams.

We have an event definition with one defined stream: the purpose of this event is to identify logs from that specific stream. While generating the content pack, we noticed the Entity List presents two items: the event_definition and stream. However, in this case we do not want to export/import the streams, as each Graylog Server has its own streams, and the event definition should reference one of those existing streams.

Our idea is being able to:

• Create Content Pack without including streams.
• Allow the option to choose the stream we want for the event definition when uploading the content pack to another server.

Is it possible? We also have tried using a parameter for that, but it seems there is a limited list of config values we can use parameters for.

Based on our tests, we believe it would also be beneficial to have a similar approach for Notifications.

Also, I personally want to upvote this because forcing inclusion of instance-specific Streams really inhibits the extensibility of content pack deployment, since Stream ID's are always different in each Graylog instance.