Condition in condition in Pipeline

(Anthony Breda) #1

I wish make this pipeline’s rule:

rule “IPClass”
let splitIP=split("[.]",to_string($message.IPsource));
let octet1=splitIP[0];
let octet2=splitIP[1];
let octet3=splitIP[2];
let locationSite = “”;

  octet1 == xxx && octet2 == xxx && octet3 == xxx




But, Graylog don’t would like this:
“extraneous input ‘when’ expecting {’;’, End, Let, Identifier}”

Best regard,

(Jochen) #2

What are you trying to achieve ultimately?

Usually, you would use two rules in consecutive stages for what I think you’re trying to do.

PS: Please format your posts for better readability:

(Jan Doberstein) #3

you can only have one when / then block in each rule - so your rule would need three rules.

(Anthony Breda) #4

I need sort the IP according to their site.
I doesn’t can use three rules because graylog need a test when I use $ message.IPsource.
Best regard,

(Jochen) #5

Maybe using to_ip() and cidr_match() would be simpler?

(Anthony Breda) #6

I don’t know how cidr_match() work (Checks whether the given ip address object matches the cidr pattern) but it would always require an additional condition.

(Jochen) #7

Please elaborate on that.

(Anthony Breda) #8

If I use that, I need add a condition for check if my field exist.

Graylog’s error:
“mismatched input ‘let’ expecting When”

Best regard,

(Jochen) #9

Yes, indeed. That’s how the rules work:

(Anthony Breda) #10

So, how to do that?

Best regard,

(Jochen) #11

What exactly do you mean?

(Anthony Breda) #12

I would like attribute a IP range to a differents sites in my company.
Best regard,

(Jochen) #13

As described before, you can use to_ip() and cidr_match() to check if an IP address is in a given CIDR block.

rule "example-rule"
  has_field("ip_address") &&
  cidr_match("", to_ip($message.ip_address))
  set_field("location_site", "Test Location");

(Anthony Breda) #14

Thank you!!
It’s possible use the Lookup table?

Best regard,

(Jochen) #15

No, that’s not possible if you want to store the CIDR blocks in a lookup source, also see: Mapping IPs to subnets

If the number of IP addresses is fairly limited, you could store them (and not the CIDR notation) in a CSV file and create a lookup table from it.

(Anthony Breda) #16

Thank you for the two answers. Finally I use the Lookup table but the other answer it’s good.

Best regard,

(system) #17

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.