Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
I have a graylog pipeline rule that extracts a bunch of fields from a json message body
rule "message_json_tofields"
when
has_field("message")
then
let json_from_message = regex("^.*]: (.*)",to_string($message.message))["0"];
let json = parse_json(to_string(json_from_message));
let props = select_jsonpath(json, {client_ip: "$.client_ip"});
// repeat for a number of fields
// field i have having issue with
set_fields(to_map(props));
let props = select_jsonpath(json, {request_headers_cookie: "$.request.headers.cookie"});
let api_key = key_value(to_string(props["request_headers_cookie"]),";","=");
set_fields(to_map({request_headers_cookie_apiKey:api_key["apiKey"]}));
I am having trouble with the cookie field. I can exact from the json no problem. spliting the string into key_value pairs ended up being easy via key_value. But the crux of my issue is that the field key apiKey, may or may not exist within cookie.
When it doesnt exist the whole pipeline errors
(Error: In call to function 'to_map' at 47:15 an exception was thrown: null)
is there any graceful way to handle the field some times being null?
2. Describe your environment:
-
OS Information: ubuntu 22.04
-
Package Version:
5.2.5-1 -
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
tried a bunch of ways to extract the value, but pipeline still errors due to null value
4. How can the community help?
any helpful hints/ideas about graylog pipeline processing