Hello guys, I just want to ask you: Does anyone have any tips for coding Graylog rules? For example, is it possible to use if, while, or for loops?
Just in case: My lookup table has entries, and it works. For example:
lookup_add_string_list(
lookup_table: “icinga2lookup_service”,
key: “startepoch”,
value: [startepoch]
);
Is it even possible to use for loops or anything else? Because I keep getting tons of errors all the time. (If you copy the code into your Graylog rules, it seems there are no errors, but if you delete some lines and wait a little bit, you will get tons of errors afterward.) I would appreciate it so much, if someone could help me ! Thanks in Advance guys
Graylog Rule:
`rule “Check Event Within Interval”
when
true
then
let event_time = lookup(“dsastoped”, “DSA”);
let start_time = lookup(“icinga2lookup_service”, “startepoch”);
let end_time = lookup(“icinga2lookup_service”, “endepoch”);
let server_name = lookup(“icinga2lookup_service”, “servername”);
let author = lookup(“icinga2lookup_service”, “author”);
let operation = lookup(“icinga2lookup_service”, “operation”);
let reason = lookup(“icinga2lookup_service”,“reason”);
let service = lookup(“icinga2lookup_service”,“service”);
let serviceid= lookup(“icinga2lookup_service”,“serviceid”);
for(let i = 0; i < length(event_time); i++) {
let event_in_downtime = false; // Flag to track if event within downtime
for(let j = 0; j < length(start_time); j++) {
if(event_time[i] >= start_time[j] && event_time[i] <= end_time[j]) {
event_in_downtime = true;
set_field("event_within_downtime", true); // Not necessarily
}
if(!event_in_downtime) {
set_field("event_within_downtime", false);
set_field("DSA_event_time", event_time[i]);
set_field("start_time",start_time[j]);
set_field("end_time",end_time[j]);
set_field("server_name",server_name[j]);
set_field("author",author[j]);
set_field("operation",operation[j]);
set_field("reason",reason[j]);
set_field("service",service[j]);
set_field("serviceid",serviceid[j]);
}
}
}
end