Hi community,I've a requirement of spliting 2 types of events from single syslog stream based on event data fields like "appname=='CEF'". I tried the following filter in data routes and was hoping it will work: __inputId.startsWith('syslog:in_syslog:') && appname=='CEF'But unfortunately it's not working. I already went through the Cribl documentation(https://sandbox.cribl.io/coursedocs/expressions/docs/filters) but I'm not sure where exactly the filter condition fails to filter the events.
Hi Manish,does the event contain a field appname=CEF already as a field or is it within the _raw field? If the latter one you will need to either split the field out in a preprocessing pipeline or use another filter condition like _raw.includes('CEF')Could you share an anomized sample event here?
Hi Oliver, This seems to be fixed now. Actually I didn't notice that the syslog stream was consumed completely in a prior data route which was set as final. So there was no data forwarded to the subsequent data route.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.