Condition in condition in Pipeline


(Anthony Breda) #1

Hy,
I wish make this pipeline’s rule:

rule “IPClass”
when
has_field(“IPsource”)
then
//xxx.xxx.xxx.xxx
let splitIP=split("[.]",to_string($message.IPsource));
let octet1=splitIP[0];
let octet2=splitIP[1];
let octet3=splitIP[2];
let locationSite = “”;

when
  octet1 == xxx && octet2 == xxx && octet3 == xxx

then
locationSite=“Site1”;
end

set_field("LocationSite",locationSite);

end

But, Graylog don’t would like this:
“extraneous input ‘when’ expecting {’;’, End, Let, Identifier}”

Best regard,
Anthony,


(Jochen) #2

What are you trying to achieve ultimately?

Usually, you would use two rules in consecutive stages for what I think you’re trying to do.

PS: Please format your posts for better readability: https://help.github.com/articles/creating-and-highlighting-code-blocks/


(Jan Doberstein) #3

you can only have one when / then block in each rule - so your rule would need three rules.


(Anthony Breda) #4

I need sort the IP according to their site.
I doesn’t can use three rules because graylog need a test when I use $ message.IPsource.
Best regard,
Anthony,


(Jochen) #5

Maybe using to_ip() and cidr_match() would be simpler?


(Anthony Breda) #6

I don’t know how cidr_match() work (Checks whether the given ip address object matches the cidr pattern) but it would always require an additional condition.


(Jochen) #7

Please elaborate on that.


(Anthony Breda) #8

Hi,
If I use that, I need add a condition for check if my field exist.

Graylog’s error:
“mismatched input ‘let’ expecting When”

Best regard,


(Jochen) #9

Yes, indeed. That’s how the rules work:
http://docs.graylog.org/en/2.4/pages/pipelines/rules.html


(Anthony Breda) #10

So, how to do that?

Best regard,


(Jochen) #11

What exactly do you mean?


(Anthony Breda) #12

I would like attribute a IP range to a differents sites in my company.
Best regard,


(Jochen) #13

As described before, you can use to_ip() and cidr_match() to check if an IP address is in a given CIDR block.

rule "example-rule"
when
  has_field("ip_address") &&
  cidr_match("10.0.0.0/8", to_ip($message.ip_address))
then
  set_field("location_site", "Test Location");
end

(Anthony Breda) #14

Thank you!!
It’s possible use the Lookup table?

Best regard,


(Jochen) #15

No, that’s not possible if you want to store the CIDR blocks in a lookup source, also see: Mapping IPs to subnets

If the number of IP addresses is fairly limited, you could store them (and not the CIDR notation) in a CSV file and create a lookup table from it.


(Anthony Breda) #16

Thank you for the two answers. Finally I use the Lookup table but the other answer it’s good.

Best regard,
Anthony,


(system) #17

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.