FIlter IP range in Pipeline

Hello, Im new to Graylog and currently using the rule below to filter log to a stream of 2 devices: and; I want to drop all msg from
rule “filter IP range”
NOT cidr_match(“”, to_ip($message.gl2_remote_ip))
But it keeps comming, so what is the problem? Thanks a lot.

I wouldn’t put the “/” in the rule name … likely not the issue though - Maybe use the debug() function in an adjacent rule so you can watch the value for gl2_remote_ip.


Thanks for your reply. I have followed your suggestion, and the output of gl2_remote_ip is NULL. What is the problem with this field, i thought this is the built-in field of Graylog.

Were you able to solve it?

1 Like

Nothing is working. I did figure a way to take the IP of the message, by using rDNS option in INPUT then all the hostnames in source field are resolved into IP; tested with debug().
However, another problem is up, I copied one of the log into simulator to test the stream pipeline, everything worked as expected but it did not work for the real log messages in Search: It stated that this simulator message can not be used in Dashboard, Search,… but they are still there.

Hello, baoletrg
first of all check Message Processors Configuration you must something like:

|1| AWS Instance Name Lookup | disabled |
|2| GeoIP Resolver | active |
|3| Message Filter Chain | active |
|4| Pipeline Processor | active |

Try to change

NOT cidr_match(“”, to_ip($message.gl2_remote_ip))


cidr_match(“”, to_ip($message.gl2_remote_ip))

And check you ip field datatype.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.