Concatenate Two Fields


(GT) #1

I am trying to concatenate the DstName and Path fields into the URL field. Below is the pipeline config I currently have and an example of the two fields I am trying to concatenate:

rule "URL"
when
has_field("DstName") && has_field("Path")
then
let URL = concat(to_string($message.DstName), to_string($message.Path));
set_field("URL", URL);
end

DstName:go.microsoft.com
Path:/fwlink/?LinkID_2233=2233yxa

My expected outcome would be as follows:

URL:go.microsoft.com/fwlink/?LinkID_2233=2233yxa

(Jan Doberstein) #2

that should be the way to go, look at the samples.

http://docs.graylog.org/en/2.4/pages/pipelines/functions.html?highlight=concat#concat


(GT) #3

Hi,

I have looked at the documentation and the pipeline rule I created should have worked, I am not sure why it’s not?

Any ideas?

Cheers,

George


(Jan Doberstein) #4

without knowing your messages?

Sorry my :crystal_ball: is currently out of order …

Maybe your when condition did not work, or your Fieldnames are different. Try to use the debug function to find the reason.

regards
Jan


(GT) #5

Haha, sorry for my lack on information. Below is an example of a log that I am trying to perform the concat on.

AppCategoryID 13
AppCategoryName Web services
AppID 8
AppName Google Chrome
DstIP 123.123.123.123
DstName https://community.graylog.org
DstPort 80
GeoDst USA
GeoSrc USA
HTTPMethod GET
Hour 9
Message HTTP request
MsgID 1AFF-0024
Path /t/concatenate-two-fields/4741/4
Protocol tcp
ProxyAct HTTP Proxy.1
ReceivedBytes 918
Reputation 1
RuleAction Allow
RuleName Proxy Access
SentBytes 697
SrcIP 321.321.321.321
SrcPort 63210
TargetUserName MYNAME@MYCOMPANY.COM
TimeElapsed 0.189354 sec(s)
TimeStamp 2018-03-27T08:56:46
Type Proxy Log
Zone 1-Untrusted 3-Out

I hope you can get a better idea of what I’m trying to do and the fields I am working with. I just want to create the URL from those two fields.

Cheers,

G


(Jan Doberstein) #6

are those fields available in Graylog as seperate fields already? If yes, that should work.


(GT) #7

Here’s a screenshot of part of a log file. As you can see both fields are there, I don’t understand why it’s not working.

Message filtering is done before pipelines so the fields are present when being processed by the pipleline.


(Jan Doberstein) #8

you should now debug that step-by-step.

Write a field “debug” if the condition is matching - then you can see if that part of the rule is working. If that is working, write as debug message the content of both fields to the logfile

( http://docs.graylog.org/en/2.4/pages/pipelines/functions.html?debug#debug )

This is the best way to check what is working and what not.


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.