Accessing "subdivisions" data from GeoLite in a Pipeline Rule

Under graylog v5.2.3 when working with pipeline rules - specifically associating data from the geolite city database - not finding a means to address the “first” array element. Have attempted numerous possibilities by the logic parser says 'nope, that’s not going to work". eg:

let tempvar = geo[“subdivisions”][0];
let tempvar = geo[“subdivisions”].[0];
(and so on).

The source data structure is:
“subdivisions”: [
“iso_code”: “XX”,
“names”: {
“en”: “<value being targetted”,

The problem is that subdivisions is an array and each object in the array is a hash. Unlike the entire rest of the response payload, where everything else returns as a hash. Have seen a couple posts here about this, but no follow-on answers about how to target array position in a pipeline rule - at least that the syntax checking will accept and that works. In one thread, the syntax:
was referenced, but the parser now seems to bark at the “.[0].” reference. Seem to think that this had worked under a prior [major] version of graylog, but evidently isn’t working under v5.x.


5.2 introduced a regression, preventing you from accessing the subdivisions field.
Fix is in progress and should be included in the next bugfix release.

While regressions are never good, at least its a known issue and not something I was doing incorrectly.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.