CSV lookup from pipeline only retrieving default value

I have a CSV lookup made up of two columns. IP address is the key and a customer name is the value. I believe the lookup is working correctly as I can use it to decorate the source field in the search results but I’m wanting to create a new field for customer rather than just decorating the results so I’m using a pipeline for that. But for some reason it only ever returns the default value set in the lookup table.

Below is my pipeline rule.

rule "Customer Lookup"
    when
      has_field("source")
    then
       let c = lookup_value("Customer Lookup", to_string($message.src_addr));
    set_field("Customer", c);
end

For reference: http://docs.graylog.org/en/3.1/pages/pipelines/functions.html#lookup-value

The name you use to reference is not the title of the lookup table. It is the name: http://docs.graylog.org/en/3.1/pages/lookuptables.html#create-lookup-table

This should not include spaces.

Thanks. I have changed the name of the lookup so that it has no spaces but it is still returning the default value for the lookup table that I specified. The lookup table decoration still works and when I put in a key in the test lookup for the data adapter it returns the correct value which tells me there’s something wrong with the pipeline.

Edit:
OK I added a debug to the code and it seems as though the $message.src_addr is empty. Is that the right variable to get the source IP address of the message?

Edit again:
Answered my own question. It should be $message.source. It’s working as expected now.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.