Graylog Steam multiple rules not working

[tahder]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.34
• Ruby: ruby 2.7.8p225 (2023-03-30 revision 1f4d455848) [x86_64-linux]
• Distribution: RHEL 9.3
• Module version: using hash 661fb48232015a5003b880bfd1a75b0b53fea390

How to reproduce (e.g Puppet code you use)

Single entry rule works well, even modified each key...

  graylog_stream { 'DNS':
    ensure      => present,
    description => 'All DNS log entries',
    rules       => [
      field     => 'application_name_x',
      type      => 'equals',
      value     => 'named',
    ],
  }

but modified to have multiple rules keys

  graylog_stream { 'DNS':
    ensure                             => present,
    description                        => 'All DNS log entries',
    rules                              => [
      {
        field => 'application_name_y',
        type  => 'equals',
        value => 'named',
      },
      {
        field    => 'facility',
        type     => 'equals',
        value    => 'kernel',
        inverted => true,
      },
    ],
  }

What are you seeing

==> graylog: Notice: /Stage[main]/Profile::Graylog/Graylog_stream[DNS]/rules: rules changed [
==> graylog:   {
==> graylog:     'field' => 'facility',
==> graylog:     'description' => '',
==> graylog:     'type' => 'equals',
==> graylog:     'inverted' => true,
==> graylog:     'value' => 'kernel'
==> graylog:   }] to [
==> graylog:   {
==> graylog:     'field' => 'application_name_y',
==> graylog:     'description' => '',
==> graylog:     'type' => 'equals',
==> graylog:     'inverted' => false,
==> graylog:     'value' => 'named'
==> graylog:   },
==> graylog:   {
==> graylog:     'field' => 'facility',
==> graylog:     'description' => '',
==> graylog:     'type' => 'equals',
==> graylog:     'inverted' => true,
==> graylog:     'value' => 'kernel'
==> graylog:   }]

What behaviour did you expect instead

<ip>/streams/DNS supposedly will add another rule ie facility in the DNS stream

Output log

Any additional information you'd like to impart

However, deleting the DNS stream and rerun the puppet will able to create the 2 rules defined, but provisioning ie modifying an entry will not be updated.

==> graylog: Notice: /Stage[main]/Profile::Graylog/Graylog_stream[DNS]/rules: rules changed [
==> graylog:   {
==> graylog:     'field' => 'facility',
==> graylog:     'description' => '',
==> graylog:     'type' => 'equals',
==> graylog:     'inverted' => true,
==> graylog:     'value' => 'kernel'
==> graylog:   },
==> graylog:   {
==> graylog:     'field' => 'application_name_y',
==> graylog:     'description' => '',
==> graylog:     'type' => 'equals',
==> graylog:     'inverted' => false,
==> graylog:     'value' => 'named'
==> graylog:   }] to [
==> graylog:   {
==> graylog:     'field' => 'application_name',
==> graylog:     'description' => '',
==> graylog:     'type' => 'equals',
==> graylog:     'inverted' => false,
==> graylog:     'value' => 'named'
==> graylog:   },
==> graylog:   {
==> graylog:     'field' => 'facility',
==> graylog:     'description' => '',
==> graylog:     'type' => 'equals',
==> graylog:     'inverted' => true,
==> graylog:     'value' => 'kernel'
==> graylog:   }]

[tahder]

It seems there's a cache issue perhaps, as if you rerun the puppet agent this time graylog stream dashboard updated, or perhaps the older version of Graylog (6.0.x) and currently on 6.1.4 which rerun fix it.

In terms of sorting the rule by field, able to do it, by deleting one at a time then rerun the agent until you have sorted rules. It is not automatically sorted or get random location.