Condition in condition in Pipeline

anthodu57 · 2018-04-13 09:20:25 UTC

Hy,
I wish make this pipeline’s rule:

rule “IPClass”
when
has_field(“IPsource”)
then
//xxx.xxx.xxx.xxx
let splitIP=split("[.]",to_string($message.IPsource));
let octet1=splitIP[0];
let octet2=splitIP[1];
let octet3=splitIP[2];
let locationSite = “”;
when
  octet1 == xxx && octet2 == xxx && octet3 == xxx
then
locationSite=“Site1”;
end
set_field("LocationSite",locationSite);
end

But, Graylog don’t would like this:
“extraneous input ‘when’ expecting {’;’, End, Let, Identifier}”

Best regard,
Anthony,

jochen · 2018-04-13 09:37:29 UTC

What are you trying to achieve ultimately?

Usually, you would use two rules in consecutive stages for what I think you’re trying to do.

PS: Please format your posts for better readability: https://help.github.com/articles/creating-and-highlighting-code-blocks/

jan · 2018-04-13 11:02:13 UTC

you can only have one when / then block in each rule - so your rule would need three rules.

anthodu57 · 2018-04-13 12:13:56 UTC

I need sort the IP according to their site.
I doesn’t can use three rules because graylog need a test when I use $ message.IPsource.
Best regard,
Anthony,

jochen · 2018-04-13 12:36:05 UTC

Maybe using to_ip() and cidr_match() would be simpler?

anthodu57 · 2018-04-13 12:40:54 UTC

I don’t know how cidr_match() work (Checks whether the given ip address object matches the cidr pattern) but it would always require an additional condition.

jochen · 2018-04-13 13:08:54 UTC

Please elaborate on that.

anthodu57 · 2018-04-16 06:16:44 UTC

Hi,
If I use that, I need add a condition for check if my field exist.

Graylog’s error:
“mismatched input ‘let’ expecting When”

Best regard,

jochen · 2018-04-16 07:29:08 UTC

Yes, indeed. That’s how the rules work:
http://docs.graylog.org/en/2.4/pages/pipelines/rules.html

anthodu57 · 2018-04-16 07:43:43 UTC

So, how to do that?

Best regard,

jochen · 2018-04-16 08:49:00 UTC

What exactly do you mean?

anthodu57 · 2018-04-16 08:56:37 UTC

I would like attribute a IP range to a differents sites in my company.
Best regard,

jochen · 2018-04-16 09:06:55 UTC

As described before, you can use to_ip() and cidr_match() to check if an IP address is in a given CIDR block.

rule "example-rule"
when
  has_field("ip_address") &&
  cidr_match("10.0.0.0/8", to_ip($message.ip_address))
then
  set_field("location_site", "Test Location");
end

anthodu57 · 2018-04-16 12:13:29 UTC

Thank you!!
It’s possible use the Lookup table?

Best regard,

jochen · 2018-04-16 12:31:50 UTC

No, that’s not possible if you want to store the CIDR blocks in a lookup source, also see: Mapping IPs to subnets

If the number of IP addresses is fairly limited, you could store them (and not the CIDR notation) in a CSV file and create a lookup table from it.

anthodu57 · 2018-04-17 07:25:00 UTC

Thank you for the two answers. Finally I use the Lookup table but the other answer it’s good.

Best regard,
Anthony,

system · 2018-05-01 07:35:02 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.