I am trying to concatenate the DstName and Path fields into the URL field. Below is the pipeline config I currently have and an example of the two fields I am trying to concatenate:
rule "URL"
when
has_field("DstName") && has_field("Path")
then
let URL = concat(to_string($message.DstName), to_string($message.Path));
set_field("URL", URL);
end
DstName:go.microsoft.com
Path:/fwlink/?LinkID_2233=2233yxa
My expected outcome would be as follows:
URL:go.microsoft.com/fwlink/?LinkID_2233=2233yxathat should be the way to go, look at the samples.
http://docs.graylog.org/en/2.4/pages/pipelines/functions.html?highlight=concat#concat
Hi,
I have looked at the documentation and the pipeline rule I created should have worked, I am not sure why it’s not?
Any ideas?
Cheers,
George
without knowing your messages?
Sorry my 
is currently out of order …
Maybe your when condition did not work, or your Fieldnames are different. Try to use the debug function to find the reason.
regards
Jan
Haha, sorry for my lack on information. Below is an example of a log that I am trying to perform the concat on.
| AppCategoryID | 13 |
|---|---|
| AppCategoryName | Web services |
| AppID | 8 |
| AppName | Google Chrome |
| DstIP | 123.123.123.123 |
| DstName | https://community.graylog.org |
| DstPort | 80 |
| GeoDst | USA |
| GeoSrc | USA |
| HTTPMethod | GET |
| Hour | 9 |
| Message | HTTP request |
| MsgID | 1AFF-0024 |
| Path | /t/concatenate-two-fields/4741/4 |
| Protocol | tcp |
| ProxyAct | HTTP Proxy.1 |
| ReceivedBytes | 918 |
| Reputation | 1 |
| RuleAction | Allow |
| RuleName | Proxy Access |
| SentBytes | 697 |
| SrcIP | 321.321.321.321 |
| SrcPort | 63210 |
| TargetUserName | MYNAME@MYCOMPANY.COM |
| TimeElapsed | 0.189354 sec(s) |
| TimeStamp | 2018-03-27T08:56:46 |
| Type | Proxy Log |
| Zone | 1-Untrusted 3-Out |
I hope you can get a better idea of what I’m trying to do and the fields I am working with. I just want to create the URL from those two fields.
Cheers,
G
are those fields available in Graylog as seperate fields already? If yes, that should work.
Here’s a screenshot of part of a log file. As you can see both fields are there, I don’t understand why it’s not working.
Message filtering is done before pipelines so the fields are present when being processed by the pipleline.
you should now debug that step-by-step.
Write a field “debug” if the condition is matching - then you can see if that part of the rule is working. If that is working, write as debug message the content of both fields to the logfile
( http://docs.graylog.org/en/2.4/pages/pipelines/functions.html?debug#debug )
This is the best way to check what is working and what not.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
