Skip to main content
Question

filter expresion and route order

  • March 11, 2025
  • 6 replies
  • 44 views
J

Hello,

I noticed a strange thing maybey anyone can explain.

I have 3 syslog sources: syslog:514: ,syslog:51402: and syslog:51403:

Three routes for these sources, each with a different pipeline attached. The order off the routes are 514 then 51402 and at last 51403.

The filter in de routes are

__inputId.startsWith('syslog:514:') &&  __srcIpPort.includes('10.10.1.112')

__inputId.startsWith('syslog:51402:') && __srcIpPort.includes('10.10.1.112')

__inputId.startsWith('syslog:51403:')&&  __srcIpPort.includes('10.10.1.112')

(same host with different syslog outputs)

In this order the 514 port gets a load off events, the 51402 lesser and teh 51403 nothing. That surpised me because when a check the source side i can capture 51403 events from this sourceip.

For test i moved the 514 route after the 51403 route. Just a feeling. but what??.. the 51403 gets suddenly l the events it was missing.

And here it gets strange. Just as if the 514 filter takes al the events from the 51403. But why didn't it take the events from the 51402? And to make it stranger, the events from the 51403 where nowhere to be found.

Is it the filter? Is it a bug ( version 4.8.2), maybey it is solved in 4.9?

Anybody an answer?

Greetings

Jari

    6 replies

    Jon Rust
    Forum|alt.badge.img
    • Jon Rust
    • Employee
    • March 11, 2025

    You didn't let us know which, if any, routes have the Final flag checked. That will impact the way the data flows.

    G
    • G H
    • Participating Frequently
    • March 11, 2025

    It sounds like 514 route is matching events it shouldn't - take a closer look at the inputIds and filters - for example make sure there is a trailing : on the 514 source, and make sure all the incoming events match it.

    Test using different filters - e.g. .match(^syslog:514[^0]) and see if you can get the same behaviour.

    J
    • Jari Weststrate
    • Author
    • Participating Frequently
    • March 11, 2025

    The 514: route is indeed final. Also the 51402 and the 51403 routes.

    Every filter has a trailing : so as far as i know this is the right way.

    At this moment it is solved by changing the order, but i am curious what it is. It doesn't make sense it filters the 51403 but not the 51402.. plus why does it filter after all.. only 514: is needed.

    I did check other workergroups and routes but luckely this is the only one with this combination.

    Jon Rust
    Forum|alt.badge.img
    • Jon Rust
    • Employee
    • March 11, 2025

    Can you provide a screencap of your configuration?

    J
    • Jari Weststrate
    • Author
    • Participating Frequently
    • March 11, 2025
    935_502983f9b888434da390d8c95c42ed48.png

    I have erased specific parts for security. It is about 14, 16 and 18.

    Jon Rust
    Forum|alt.badge.img
    • Jon Rust
    • Employee
    • March 11, 2025

    EDIT: I see you have groupings in place

    One pro tip: I prefer using the fields definition in the input config to define a field that you can filter on.

    Terms & ConditionsAccessibility statement