First try at pipelines


#1

Hi there,

i would like to concate two string with a pipeline for a cleaner dashboard but i’m struggeling a little bit.

Here is my code:

rule "concate unlocker"
when
   has_field("EventID") AND contains(to_string($message.EventID), "4767")
then
   let unlocker = concat(to_string($message.SubjectUserName),to_string(" unlocked "));
   let locked_usr = concat(to_string($message.TargetUserName),to_string(" successfully!"));
   let unlocker_locked_usr = concat(unlocker,locked_usr);
   set_field("unlocker_locked_usr", unlocker_locked_usr);
end

This Rule is connected to a Pipeline as Stage 0 with the Option “All rules on this stage match the message”.
The Pipeline is connected to my Windows Event Stream.

But nothing happens :frowning:

Thanks!


(Jochen) #2

Does the “EventID” field exist in the messages from the beginning or are you creating it in another extractor or another pipeline rule?


#3

The “EventID” exists from the beginning on - its a Windows Security log (Input GELF UDP w/ sidecar+nxlog)


#4

Please close/delete Topic … It’s all about reading carefully.

My Pipeline Processor was on Position 2, and the Message Filter Chain on Position 3 … changed those two and now it works :slight_smile:

Have a nice day!


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.