Graylog pipeline rule syntax errors (I guess?)

megan201296 · September 13, 2018, 7:32pm

I was working on changing a pipeline rule for better processing. I changed the conditional statement from
has_field("winlogbeat_source_name") AND NOT contains(to_string($message.winlogbeat_source_name), "Microsoft-Windows-Sysmon")

to

has_field("winlogbeat_source_name") AND NOT to_string($message.winlogbeat_source_name) == "Microsoft-Windows-Sysmon"

Rule was accepted syntactically by the pipeline rule creation. As soon as I implemented I got thousands upon thousands of the following messages from the graylog server:

2018-09-13T19:22:14.630Z WARN  [ProcessBufferProcessor] Unable to process message <52249861-b78a-11e8-8744-0adf684f2f04>: java.lang.ClassCastException: org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression cannot be cast to org.graylog.plugins.pipelineprocessor.ast.expressions.LogicalExpression

I cannot figure out what is wrong with my syntax because I have another very similar conditional statement that is working fine. The only difference in the two similar ones is this is using AND NOT. The other one is using AND. Is this a bug or am I just missing something?

kay · September 13, 2018, 8:06pm

Hi!

Is there more to the exception to have a better pointer for debugging?

Without being at the computer right now, this looks like an issue with operator precedence or expression construction:
The NOT is trying to evaluate something that has boolean value, the type checker apparently accepts it (otherwise you would get an error while editing) but when executed it doesn’t get the result of the == but the function call to_string.

I think you are correct in assuming this to work, I’ll look into in tomorrow morning.
For now, I believe it should work if you added parentheses around the to_string() == "..." expression.

kay · September 13, 2018, 8:19pm

Yeah just checked the grammar, NOT binds closer than == so it will try to run (NOT to_string(...)) == "...".

However the type checker should’ve rejected this, but I think it still cannot see beyond function calls, so it should now allow the code as it is and instead give a proper error message.

megan201296 · September 17, 2018, 4:15pm

Thank you @kay! Glad it was not just me writing a really bad query.

Topic		Replies	Views
Boolean value, boolean operators and boolean expression in pipeline condition Graylog Central (peer support)	3	2256	April 11, 2018
Pipeline condition not correct Graylog Central (peer support) pipeline-rules , debuggingpl	6	933	October 13, 2020
Contains not evaluating correctly Graylog Central (peer support) pipeline-rules	6	383	July 23, 2020
Checking condition in a pipeline Graylog Central (peer support)	7	8037	March 23, 2018
Report incompatible types Graylog Central (peer support)	3	562	April 4, 2018

Graylog pipeline rule syntax errors (I guess?)

Related topics