A question about the CONTAINS pipeline function

Loompaz · May 15, 2017, 4:22pm

Hello everybody,

I would like to know if a field contains a part of another field.

For example :

field1: buddy
field2: buddytwo.lalala

-> In this case, it should match

So I made some test with the contains function :

rule "test"
when
    contains(to_string($message.field1), to_string($message.field2))
then    
	set_field("tested", true);
end;

But this doesn’t work : every logs match, even those which don’t have the fields field1 and field2 …

So I’m asking if we can use $message.fieldname for the substring. Maybe this is not possible ?

Thanks for your help !

jochen · May 16, 2017, 7:25am

You have to check if these fields exist first (via has_field()), otherwise the condition will check if the empty string contains the empty string (which is true) for cases in which the message doesn’t contain the field1 or field2 fields.

Loompaz · May 16, 2017, 8:22am

Exact jochen. It works perfectly now. I should have check this before…

Thanks for your help !

system · May 30, 2017, 8:27am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Basic contain from message field Graylog Central (peer support)	2	389	October 1, 2019
Pipeline Decorator not Implementing Graylog Central (peer support)	3	684	July 18, 2019
Pipeline Rules - Exact Match on Field Graylog Central (peer support) pipeline-rules	5	5261	June 6, 2018
Pipeline rule: contains on list Graylog Central (peer support) pipeline-rules , route-to-streampl	4	5632	May 22, 2019
Conditions question - is the value field a exact match of partial match Graylog Central (peer support)	1	461	August 30, 2019

A question about the CONTAINS pipeline function

Related Topics