1. Describe your incident:
ipv6 pipeline rule not work on field type IP.
2. Describe your environment:
-
OS Information: docker
-
Package Version: 6.1.4
-
Service logs, configurations, and environment variables:
Configured two pipeline rules because of trying to solve my issue.
my issue is tag logs with “ipv6 tag” and normalize the IPV6 addresses to lowercase.
The first pipeline rule to check if grok works with pattern IPV4:
rule “fp_classify_ipv4”
when
grok(value: to_string($message.fp_Src), pattern: “%{IPV4}”).matches == true
then
// add tag ipv4
set_field(
field : “tags”,
value : “ipv4”
);
end
this pipeline rule works great.
Second Rule for IPV6:
rule “fp_classify_ipv6”
when
grok(value: to_string($message.fp_Src), pattern: “%{IPV6}”).matches == true
then
let my_src_ipv6 = lowercase(to_string($message.fp_Src));
set_field(“fp_Src”, to_ip(my_src_ipv6));
// to check if it works with other field type
set_field("fp_Src_ipv6_lc", my_src_ipv6);
// add tag ipv6
set_field(
field : "tags",
value : "ipv6"
);
end
This pipeline rule matches nothing and i dont know why.
The field type fp_Src is IP, because we use cidr match for searching etc.
example values are:
fp_Src: 1.1.1.1
fp_Src: 2A00:1450:400C:C00::5E
3. What steps have you already taken to try and solve the problem?
create multiple pipeline rules to get it work, but nothing worked. One of them are here posted.
4. How can the community help?
let me know why my pipeline rule for ipv6 not matches for a field with the correct content.
Thanks for your help.