Drop All messags except matching and help on slookup function


I need to achieve below and appreciate communities help.

I have messages coming in from firewall in stream assume STREAM-FW and I am only interested when the field has “sourceUserName” else all the messages should be dropped. [I can drop the messages which matches certain but how do I drop everything except…]

This first requirement now on the same front; I have another stream STREAM-DNS where I am parsing those and has field “clientipaddr”. Now, how I need to find out the username associated with clientipaddr which is appearing in STREAM-FW.

Can someone please help me on the pipeline pls?

So, I made bit progress. I was able to route those messages containg only usernames in different stream i.e. onlyUserNames [which has srcIPaddr field as well]

Now I need to compare srcIPaddr and clientIPaddr from STREAM-DNS and found matched then insert username field in STREAM-DNS

Please advise.

then just negate the if clause (with a !) and then let the rule drop the messages :smiley:

Hi there,

Would you please give me an example, pls?

sure thing,

contains(to_string($message.yourField), "condition") AND
! contains(to_string($message.yourField), "condition2")

do something

It´s true when the field “yourField” contains “condition” AND does not contain “condition2”. The only difference between this two is the ! :slight_smile:

Thats awesome!! Thanks buddy

And any clue on comparing string/IP address from two different stream and if true then extract username field and insert into one of the Stream?

I guess slookup function will help me here I believe?

If that is the case, just use the pipeline on the “all messages”-stream.

Take a look at substr() and split() together with compare. Could be helpful.
If you want to sort into a stream after a pipeline worked, just use the pipeline to set a new field (for example “toStreamX = true”) and add a new stream rule.

Good luck and let me know if you got it to work and how :smiley:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.