filter expresion and route order

Jari Weststrate

Hello,

I noticed a strange thing maybey anyone can explain.

I have 3 syslog sources: syslog:514: ,syslog:51402: and syslog:51403:

Three routes for these sources, each with a different pipeline attached. The order off the routes are 514 then 51402 and at last 51403.

The filter in de routes are

__inputId.startsWith('syslog:514:') &&  __srcIpPort.includes('10.10.1.112')

__inputId.startsWith('syslog:51402:') && __srcIpPort.includes('10.10.1.112')

__inputId.startsWith('syslog:51403:')&&  __srcIpPort.includes('10.10.1.112')

(same host with different syslog outputs)

In this order the 514 port gets a load off events, the 51402 lesser and teh 51403 nothing. That surpised me because when a check the source side i can capture 51403 events from this sourceip.

For test i moved the 514 route after the 51403 route. Just a feeling. but what??.. the 51403 gets suddenly l the events it was missing.

And here it gets strange. Just as if the 514 filter takes al the events from the 51403. But why didn't it take the events from the 51402? And to make it stranger, the events from the 51403 where nowhere to be found.

Is it the filter? Is it a bug ( version 4.8.2), maybey it is solved in 4.9?

Anybody an answer?

Greetings

Jari

Jon Rust

You didn't let us know which, if any, routes have the Final flag checked. That will impact the way the data flows.