What this is about: Export AP logs for successful logins to a txt file. Use the txt file to compare each following login from the same AP: Is new login on the list or not. So, 1) Find and export the relevant data 2) Create a Pipeline and test new logins against this data. I am no docker/Graylog expert. This is more like 'note-to-self" kind of thing. Please check with Docker or Graylog documentation.