Hi, I am trying to execute drool rules using some of the fields which I have created using extractors, but the drool rule fails to execute. I have created a field named month which extracts the month name from log, Below is the rule "Rewrite month" I am trying to execute. FYI the "Rewrite localhost host" rule works just fine.
// The following header lines are automatically added by Graylog server. //package org.graylog2.rules //import org.graylog2.plugin.Message //global org.slf4j.Logger log rule "Rewrite source host" when m : Message( source == "xyz" ) then m.addField("source", "abcd" ); log.info( "[Overwrite source rule fired] : " + m.toString() ); end rule "Rewrite month" when m : Message( _month_ == "Jan" ) then m.addField("_month_", "Feb" ); log.info( "[Overwrite month rule fired] : " + m.toString() ); end Q1. Is it possible to use custom fields into drool rules. Q2. If possible where can I find the docs which tells how to do it. Q3. If a rule such as "Rewrite source host" mentioned above is successfully executed, does the original log is stored into elasticsearch or the modified logs is stored or are both logs stored? Q4. Is it possible to have multiple .drl file or only one file will have multiple rules? Attaching the logs file "graylog-server.log" Thanks in Advance!! Anant Sawant. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/864aeea5-36fe-4805-9dda-3426acb9426e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
2017-01-10 18:24:11,007 ERROR: org.drools.compiler.kie.builder.impl.AbstractKieModule - Unable to build KieBaseModel:defaultKieBase Unable to Analyse Expression gl2_remote_ip == "172.16.0.78": [Error: unable to resolve method using strict-mode: org.graylog2.plugin.Message.gl2_remote_ip()] [Near : {... gl2_remote_ip == "172.16.0.78" ....}] ^ [Line: 23, Column: 8] : [Rule name='Rewrite IP address'] 2017-01-10 18:24:11,007 WARN : org.graylog2.rules.DroolsEngine - Unable to add rules due to compilation errors. org.graylog2.rules.RulesCompilationException: Message [id=1, level=ERROR, path=r1.drl, line=23, column=0 text=Unable to Analyse Expression gl2_remote_ip == "172.16.0.78": [Error: unable to resolve method using strict-mode: org.graylog2.plugin.Message.gl2_remote_ip()] [Near : {... gl2_remote_ip == "172.16.0.78" ....}] ^ [Line: 23, Column: 8]] at org.graylog2.rules.DroolsEngine.createKJar(DroolsEngine.java:232) ~[graylog.jar:?] at org.graylog2.rules.DroolsEngine.createAndDeployJar(DroolsEngine.java:194) ~[graylog.jar:?] at org.graylog2.rules.DroolsEngine.deployRules(DroolsEngine.java:169) [graylog.jar:?] at org.graylog2.rules.DroolsEngine.commitRules(DroolsEngine.java:147) [graylog.jar:?] at org.graylog2.rules.DroolsEngine.addRule(DroolsEngine.java:89) [graylog.jar:?] at org.graylog2.rules.DroolsEngine.addRulesFromFile(DroolsEngine.java:102) [graylog.jar:?] at org.graylog2.bindings.providers.RulesEngineProvider.<init>(RulesEngineProvider.java:44) [graylog.jar:?] at org.graylog2.bindings.providers.RulesEngineProvider$$FastClassByGuice$$3947f391.newInstance(<generated>) [graylog.jar:?] at com.google.inject.internal.cglib.reflect.$FastConstructor.newInstance(FastConstructor.java:40) [graylog.jar:?] at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:105) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [graylog.jar:?] at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41) [graylog.jar:?] at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012) [graylog.jar:?] at com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375) [graylog.jar:?] at com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258) [graylog.jar:?] at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53) [graylog.jar:?] at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012) [graylog.jar:?] at com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375) [graylog.jar:?] at com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258) [graylog.jar:?] at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53) [graylog.jar:?] at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012) [graylog.jar:?] at org.graylog2.shared.buffers.ProcessBuffer.<init>(ProcessBuffer.java:91) [graylog.jar:?] at org.graylog2.shared.buffers.ProcessBuffer$$FastClassByGuice$$ef94431e.newInstance(<generated>) [graylog.jar:?] at com.google.inject.internal.cglib.reflect.$FastConstructor.newInstance(FastConstructor.java:40) [graylog.jar:?] at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:105) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [graylog.jar:?] at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [graylog.jar:?] at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [graylog.jar:?] at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012) [graylog.jar:?] at com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375) [graylog.jar:?] at com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258) [graylog.jar:?] at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53) [graylog.jar:?] at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) [graylog.jar:?] at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [graylog.jar:?] at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41) [graylog.jar:?] at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012) [graylog.jar:?] at com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375) [graylog.jar:?] at com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258) [graylog.jar:?] at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53) [graylog.jar:?] at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45) [graylog.jar:?] at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:54) [graylog.jar:?] at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:132) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267) [graylog.jar:?] at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103) [graylog.jar:?] at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) [graylog.jar:?] at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145) [graylog.jar:?] at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41) [graylog.jar:?] at com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:205) [graylog.jar:?] at com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:199) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092) [graylog.jar:?] at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:199) [graylog.jar:?] at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:180) [graylog.jar:?] at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:110) [graylog.jar:?] at com.google.inject.Guice.createInjector(Guice.java:96) [graylog.jar:?] at org.graylog2.shared.bindings.Hk2GuiceBridgeJitInjector.create(Hk2GuiceBridgeJitInjector.java:60) [graylog.jar:?] at org.graylog2.shared.bindings.GuiceInjectorHolder.createInjector(GuiceInjectorHolder.java:32) [graylog.jar:?] at org.graylog2.bootstrap.CmdLineTool.setupInjector(CmdLineTool.java:379) [graylog.jar:?] at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:193) [graylog.jar:?] at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?] 2017-01-10 18:24:11,010 WARN : org.graylog2.bindings.providers.RulesEngineProvider - Unable to load rules due to load error: /etc/graylog/server/rules.drl