Condition in condition in Pipeline

anthodu57 · April 13, 2018, 9:20am

Hy,
I wish make this pipeline’s rule:

rule “IPClass”
when
has_field(“IPsource”)
then
//xxx.xxx.xxx.xxx
let splitIP=split(“[.]”,to_string($message.IPsource));
let octet1=splitIP[0];
let octet2=splitIP[1];
let octet3=splitIP[2];
let locationSite = “”;
when
  octet1 == xxx && octet2 == xxx && octet3 == xxx
then
locationSite=“Site1”;
end
set_field("LocationSite",locationSite);
end

But, Graylog don’t would like this:
“extraneous input ‘when’ expecting {‘;’, End, Let, Identifier}”

Best regard,
Anthony,

jochen · April 13, 2018, 9:37am

What are you trying to achieve ultimately?

Usually, you would use two rules in consecutive stages for what I think you’re trying to do.

PS: Please format your posts for better readability: https://help.github.com/articles/creating-and-highlighting-code-blocks/

jan · April 13, 2018, 11:02am

you can only have one when / then block in each rule - so your rule would need three rules.

anthodu57 · April 13, 2018, 12:13pm

I need sort the IP according to their site.
I doesn’t can use three rules because graylog need a test when I use $ message.IPsource.
Best regard,
Anthony,

jochen · April 13, 2018, 12:36pm

Maybe using to_ip() and cidr_match() would be simpler?

anthodu57 · April 13, 2018, 12:40pm

I don’t know how cidr_match() work (Checks whether the given ip address object matches the cidr pattern) but it would always require an additional condition.

jochen · April 13, 2018, 1:08pm

Please elaborate on that.

anthodu57 · April 16, 2018, 6:16am

Hi,
If I use that, I need add a condition for check if my field exist.

Graylog’s error:
“mismatched input ‘let’ expecting When”

Best regard,

jochen · April 16, 2018, 7:29am

Yes, indeed. That’s how the rules work:
http://docs.graylog.org/en/2.4/pages/pipelines/rules.html

anthodu57 · April 16, 2018, 7:43am

So, how to do that?

Best regard,

jochen · April 16, 2018, 8:49am

What exactly do you mean?

anthodu57 · April 16, 2018, 8:56am

I would like attribute a IP range to a differents sites in my company.
Best regard,

jochen · April 16, 2018, 9:06am

As described before, you can use to_ip() and cidr_match() to check if an IP address is in a given CIDR block.

rule "example-rule"
when
  has_field("ip_address") &&
  cidr_match("10.0.0.0/8", to_ip($message.ip_address))
then
  set_field("location_site", "Test Location");
end

anthodu57 · April 16, 2018, 12:13pm

Thank you!!
It’s possible use the Lookup table?

Best regard,

jochen · April 16, 2018, 12:31pm

No, that’s not possible if you want to store the CIDR blocks in a lookup source, also see: Mapping IPs to subnets

If the number of IP addresses is fairly limited, you could store them (and not the CIDR notation) in a CSV file and create a lookup table from it.

anthodu57 · April 17, 2018, 7:25am

Thank you for the two answers. Finally I use the Lookup table but the other answer it’s good.

Best regard,
Anthony,

system · May 1, 2018, 7:35am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Variables in pipelines Graylog Central (peer support) pipeline-rules	2	1539	July 10, 2020
Pipeline rule - additional test within then clause Graylog Central (peer support) pipeline-rules	1	1430	May 4, 2017
Pipeline rules problem Graylog Central (peer support) pipeline-rules	4	903	March 10, 2022
Checking condition in a pipeline Graylog Central (peer support)	7	7964	March 23, 2018
Another try at pipeline rules Graylog Central (peer support) pipeline-rules , debuggingpl	5	1251	August 2, 2017

Condition in condition in Pipeline

Related topics