Events created by aggregations should always have a non-empty source_streams field because this is used for permission checks.
When users create an event definition that creates events when the aggregation doesn't return any results (e.g. create event when count() < 1), the resulting events don't have any streams set in the source_streams field.
Steps to Reproduce (for bugs)
Create new event definition
Configure search query that will not return a result
Use condition count() < 1
Wait until events are created
Check that created events have an empty source_streams field
Graylog Version: 3.1.3
The text was updated successfully, but these errors were encountered: