When you create a rule it systematically creates a Stream.
But Graylog use Streams to route logs into different Elastic indexes (in addition to use Streams as an input for Alerts).
Currently when the Wizard creates a Stream, it always choose the Default Index.
So logs are duplicated if they also belongs to another index.
The first improvement we could do is allowing the user to choose a specific Index (but with the Default Index as default setting).
A 2nd improvement would be the Wizard would act as Graylog when it creates an Alert, you could use a query or choose Streams to filter logs, or both.
Sometimes a query is easier than Streams because it allows to mix OR and AND operators.
Moreover sometimes a same Stream could be used by multiples rules
(When the first release of the Wizard have been developped, the only way to filter logs for ALerts was to use Streams, we couldn't use a query).
When you create a rule it systematically creates a Stream. But Graylog use Streams to route logs into different Elastic indexes (in addition to use Streams as an input for Alerts). Currently when the Wizard creates a Stream, it always choose the Default Index. So logs are duplicated if they also belongs to another index.
The first improvement we could do is allowing the user to choose a specific Index (but with the Default Index as default setting).
A 2nd improvement would be the Wizard would act as Graylog when it creates an Alert, you could use a query or choose Streams to filter logs, or both. Sometimes a query is easier than Streams because it allows to mix OR and AND operators. Moreover sometimes a same Stream could be used by multiples rules (When the first release of the Wizard have been developped, the only way to filter logs for ALerts was to use Streams, we couldn't use a query).