My Graylog has already received some logs with the field "source" but not yet with the field "Source" (note the "S" in uppercase).
I want to create a rule with a filter on the field "Source".
So I create a Wizard rule, in the Fields Condition I type "Source".
But the autocompletion only allows me to choose "source", it doesn't allow to 'Create "Source"' as it usually does when the field doesn't exist in the Elastic indices.
For information when you edit rules of a Stream, the autocompletion shows some fields but if you click outside of the field, the value you typed as fieldname is not deleted as the Wizard does.
Moreover the autocompletion in the Stream is case sensitive but not in the Wizard.
frantz45
commented
2 years ago
My Graylog has already received some logs with the field "source" but not yet with the field "Source" (note the "S" in uppercase). I want to create a rule with a filter on the field "Source". So I create a Wizard rule, in the Fields Condition I type "Source". But the autocompletion only allows me to choose "source", it doesn't allow to 'Create "Source"' as it usually does when the field doesn't exist in the Elastic indices.
For information when you edit rules of a Stream, the autocompletion shows some fields but if you click outside of the field, the value you typed as fieldname is not deleted as the Wizard does. Moreover the autocompletion in the Stream is case sensitive but not in the Wizard.