Creating new fields in pipeline

Jsoft · May 13, 2019, 8:25am

Hi all,

I am currently retrieving data from one stream and displaying it on another using slookup pipeline rule. However the field that are added are only decorators and i need a way to display it on the dashboard, are there any way to add these fields into the message permanently or create a new message using the retrived value?

Thank you.

Pipeline Rule
rule "Enrich Data"
when
    has_field("src_addr")
then
    let system_info = slookup("5cd8eaf2cc57e401e53319a1", "src_addr", "@indicator", ["share_level"], "55000000", "desc");
    set_field("badip_first_seen", to_string(system_info));
    route_to_stream("5ccfe39fcc57e401bf0ddac7");
end

jan · May 13, 2019, 10:15am

use the pipeline in message processing and not only as decorator is the solution.

Jsoft · May 14, 2019, 1:40am

If you don’t mind me asking, how do i do that?

Jsoft · May 14, 2019, 2:38am

Moving the message filter chain above pipeline processor does what i want, thank you.

system · May 28, 2019, 2:38am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
New field using Pipeline Graylog Central (peer support) pipeline-rules , route-to-streampl	6	1925	August 8, 2018
Pipeline: Create new message, set this message with new fields then route the message to a stream Graylog Central (peer support) pipeline-rules , route-to-streampl	4	3862	May 30, 2018
Creating Stream Rules Using Pipeline Fields Graylog Central (peer support) pipeline-rules	5	5589	February 20, 2018
Pipeline not adding new fields Graylog Central (peer support) pipeline-rules	5	751	April 18, 2023
Slookup, Pipeline Rule Graylog Add-ons pipeline-rules	1	855	September 21, 2018

Creating new fields in pipeline

Related topics