The order of the function calls doesn’t matter (at least not in your case). The order of arguments in the contains() function does matter, though.
Hi Jochen,
How do I determine the order that the contains statements should be in? I got my last example wrong.
With below:
has_field(“field-x”) AND
has_field(“field-y”) AND
has_field(“field-z”) AND
contains(“match for x”,to_string($message.field-x)) AND
contains(“match for y”, to_string($message.field-y)) AND
contains(“match for z", to_string($message.field-z))
I would expect that fields x,y,and z need to be present or there is no match. The three fields with the contain statement must also match i.e field-x = “match for x” and field-y =“match for y” and field-z= “match for z”.
Anyone of the six conditions ( 3 x has field or a non field match) results in a negative result.
Do the has_field and condition statement need to be in the same order as the fields in the log?
How does the contains order work? Could you please point me to some other documentation?
Cheers
Jake
You’re chasing the wrong thing.
Take a step back, then read the documentation of the contains() function at http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#contains, with special attention to the function signature (its name and the parameters the function takes).
Hi Jochen,
The documentation says the following
contains(value: string, search: string, [ignore_case: boolean])
Checks if value contains search, optionally ignoring the case of the search pattern.
So this would mean a contains statement should be
contains(to_string($message.sysmon_cmd_parent_file,“EXCEL.EXE”))
This would search for the “EXCEL.EXE” within the string of the field message.sysmon_cmd_parent_file ie “C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE” with the option to ignore case
This makes sense, however it is in oppostion to my earlier conversation with Jan here at Checking condition in a pipeline
I think I have figured it out.
In the example above the strings are searching for identical matches as the fields can only contain “11” for sysmon_event_id so the order does not matter, where as in my example I am looking for a partial match so it matters?
Cheers
Jake
EDIT: The parenthesis are still wrong.
Yes, correct. @jan could’ve used == instead of the contains() function in this particular case and he unfortunately also mixed up the argument order of the contains() function.
If you’re unsure about the argument order, you can also name the arguments so that their order doesn’t matter:
contains(search: "ul st", value: "Full string"); // returns true
Hi Jochen,
The path to enlightenment is a stoney path 
I finally got it working.
Here is the mistake
contains(to_string($message.sysmon_cmd_parent_file,“EXCEL.EXE”))
Corrected
contains(to_string($message.sysmon_cmd_parent_file),“EXCEL.EXE”)
Cheers
Jake
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.