Hello I have a question about Suppressed in pm_evcorr. Having following example from official documentation: Module im_file File "/tmp/testfile" SavePos FALSE ReadFromLast FALSE Exec if ($raw_event =~ /^(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d) (.+)/) { \ $EventTime = parsedate($1); \ $Message = $2; \ $raw_event = $Message; \ } Module im_internal Exec $raw_event = $Message; Exec $EventTime = 2010-01-01 00:01:00; Module om_file File '/tmp/output' Module pm_evcorr TimeField EventTime # match input event and execute an action list, but ignore the following # matching events for the next t seconds. Condition $Message =~ /^suppressed/ Interval 30 Exec $raw_event = "suppressing.."; Exec if $Message =~ /^simple/ $raw_event = "got simple"; Path in, internal => evcorr => out Wrote following logs into the file: [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:44 suppressed" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:47 simple" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:49 simple" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:07:00 suppressed" >> testfile In output I got: suppressing.. got simple got simple suppressed Suppressing condition worked. But I thought that will stop processing all subsequent log entries. And it's not. Why the Simple condition is still matched?

I think the <Suppressed> rule only prevents the evaluation of the Exec statements when suppression kicks in.

The following would probably do what you need If you add $do_not_drop = TRUE; to your suppression rule and then use an additional Simple rule like this:

<Simple>
  Exec if $Message =~ /^suppressed/ and not defined $do_not_drop drop(); 
</Simple>