Extractors not functioning in Pipeline Processor


(Kris) #1

For some reason, my extractors are not functioning prior to the pipelines.
I’ve been trying to have pipelines run rules based off fields, and found it wasn’t finding the fields due to the extractor not working in the pipelines.

I understood that in order to access the Extracted fields from the Extractors you needed to order the Messages Processors Configuration like above. As long as the Pipeline Processor is after the Message Filter Chain, you should be able to access the extracted fields. Is this not correct?

I can still run the rules but only with the $message.message field. It fails every time on any $message.field value.

The extractors do work under the all messages stream, as I can see the extracted fields. Any ideas?


(Jochen) #2

What does that mean exactly? What extractors did you define and what did you expect to happen?


(Kris) #3

I am trying to be able to use the extracted fields in the pipeline rules.

For example, I have Extractors that extract data using Regex and place that into a field called Server. (I know this works as I can see the extracted fields in the streams.)

When I make a pipeline rule in the form of:

rule "Example"
when to_string($message.Server) == "Some string"
Or contains(to_string($message.Server), “Some string”)
then
end

Whenever I attempt to access the $message.Field it returns false as it cannot find the field. This is further confirmed through the simulate processing feature, and in the server.log.

[EqualityExpression] left expression evaluated to null, returning false: $message.Server

My understanding was that if I wanted to have the pipelines able to access the extracted fields I had to place the Message Filter Chain as a higher priority than the Pipeline Processor.
I’m trying to understand if I’m doing something wrong.


(Jochen) #4

What’s your specific rule?

Yes, this is correct.


(Kris) #5

rule "GPL Attack_Response"
when
to_string($message.Signature) == "GPL ATTACK_RESPONSE id check returned root"
then
end

But I’m no longer getting the log errors and it’s going through. I have no idea what’s changed.

It seems any time I ask for help, the problem resolves itself.

Thanks. Sorry about this.