Has_field() not working

HI, all

I have this rule and it is working as expected

rule “MyRule”
when
true
then
debug(concat("=== facility: ", to_string($message.facility)));
end

I am getting the debug output

2024-05-15T21:27:41.513Z INFO [Function] PIPELINE DEBUG: === facility: local1

However when I configure this rule, i am not getting the debut output

rule “MyRule”
when
has_field(“facility”)
then
debug(concat("=== facility: ", to_string($message.facility)));
end

• OS Information: Linux Ubuntu 22.04 / Greylog 6.0.1

Thanks,

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Obvious, but double-check that field facility is really present in the log messages.
Try something other than debug, e.g. set a new field in the message. Does that work?

Test requested:

This rule works as expected.

rule “MyRule”
when
true
then
debug(concat("=== facility: “, to_string($message.facility)));
set_field(“facility2”, $message.facility);
debug(concat(”=== facility2: ", to_string($message.facility2)));

I get this output

2024-05-16T12:48:52.855Z INFO [Function] PIPELINE DEBUG: === facility: daemon
2024-05-16T12:48:52.855Z INFO [Function] PIPELINE DEBUG: === facility2: daemon

But when using this rule, I am not getting any output

rule “MyRule”
when
has_field(“facility”)
then
debug(concat("=== facility: “, to_string($message.facility)));
set_field(“facility2”, $message.facility);
debug(concat(”=== facility2: ", to_string($message.facility2)));

Found my issue.

I made the wrong assumption and thought rules are executed in sequential order within the same stage. I have a previous rule that parse the JSON message received and map it into different fields.

The solution was to create 2 stages. Stage0 will only parse the JSON and Stage1 will do the subsequent tasks I want to perform based onf the facility field.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.