27 Oct 2023 12:42 PM
Scenario: i two rules similar as below,
Rule 1 : Adding a new attribute named service.name set to "example"
Rule 2 : use a log matcher to filter by matchesValue(service.name, "example")
But Rule 2 is never applied during log ingestion. Looks like some kind of issue with overlap of running Rule2 before the newly created attribute is available from Rule 1, is this an expected scenario ?
27 Oct 2023 01:44 PM - edited 27 Oct 2023 02:49 PM
Could you explain a little more about what you would like to do? If I understand you correctly, you would like to add a key-value pair "service.name": "example" to the JSON. Then you would like to create a second rule for further processing that matches if this condition applies. Can you send the processing rule that you have used and what you would like to have in the end here?
I think what you are trying to do is not possible. However, you can add multiple parse commands to first add the key-value pair and then filter on the new pair. More information can be found here: