I know that in a Log Decoder Service, the log processing sequence is like:
Parsers --> Rules --> Feeds
but, I need to create an App Rule to generate meta based on other meta generated by a custom feed.
The use case is as follows:
I got a user.src and search that username in a custom feed. The feed enrich that meta with a new one: user.src.name. I want to generate an alert meta when in a log I got user.src but not user.src.name.
I believe feeds are applied before App Rules. Feeds should be applied right after the parsing stage, so you're able to refer to meta generated by them in App Rules. Note that App Rules are run in top-down fashion, like a firewall rule chain, so app rules can even refer to other app rules as long as they're placed below them in-order.
Chris is correct on the order of operations, but as a note, ANY new meta generated (by app rule or parser or feed) will cause a re-processing of the feeds. So it you generate a meta-value in an application rule or another feed, that could affect any other feeds (feeds using that meta-key as an index value) then those feeds will re-process and generate any meta values if the feed gets a hit, which could then cause other feed(s) to process, etc.
Feeds are triggered by matching against meta in a particular key or keys it is configured to look at.
App rules are made by combining 1 or more pieces of meta and calling it some other new piece of meta. They usually operate at the end of the session. If you took a close look at the meta in a session, note the order in which it is presented. That is the order in which the meta was generated as well. In many cases, app rules are toward the bottom.