Under graylog v5.2.3 when working with pipeline rules - specifically associating data from the geolite city database - not finding a means to address the “first” array element. Have attempted numerous possibilities by the logic parser says 'nope, that’s not going to work". eg:
let tempvar = geo[“subdivisions”][0];
let tempvar = geo[“subdivisions”].[0];
(and so on).
The source data structure is:
“subdivisions”: [
{
“iso_code”: “XX”,
“names”: {
“en”: “<value being targetted”,
}
}
]
The problem is that subdivisions is an array and each object in the array is a hash. Unlike the entire rest of the response payload, where everything else returns as a hash. Have seen a couple posts here about this, but no follow-on answers about how to target array position in a pipeline rule - at least that the syntax checking will accept and that works. In one thread, the syntax:
geo[“subdivisions”].[0].names.en
was referenced, but the parser now seems to bark at the “.[0].” reference. Seem to think that this had worked under a prior [major] version of graylog, but evidently isn’t working under v5.x.
5.2 introduced a regression, preventing you from accessing the subdivisions field.
Fix is in progress and should be included in the next bugfix release.
