HI all 

I am trying to create a pipeline where all syslog data will land and i want to filter the events from device i want based on a string in _raw filed like firewall or any other unique string.

i have tried _raw.includes(‘Firewall’) or /Firewall/ though when i  check in advanced mode in filter tab it matches the correct event but when i am checking it on a sample log i have built for testing it passes all the events regardless of filter.

I know this can be done in routes itself but still would prefer if i could build a pipeline and more function inside it for each sources.