How to use Lookup table, data adapter to change the some field values

Hi,

I am new to Graylog and trying to use data lookup table and data adapter to change log level value to informative string inside pipeline:

CSV:

Level;“SEVERITY”
0;“Emergency”
1;“Alert”
2;“Critical”
3;“Error”
4;“Warning”
5;“Notice”
6;“Informational”
7;“Debug”

I have created the pipeline rule as:

rule “Level lookup with Level Category”

when

has_field(“level”)

then

let update_source = lookup_value(“rfc_5424_log_level”,$message.level);

set_field(“level”, update_source);

end

I am confused now, where exactly and what stage this rule to be used. I have tried this rule at stage 0 with other rules, adding in all the pipeline stages and at the end of the stage, in all the cases I see no messages afterwards.

2. Environment:

• OS Information: Ubuntu 22

GrayLog: 6.0.2

Opensearch: 2.14

MongoDB: 7.17

What do you mean no messages after? Its just doesnt seem to be doing the lookup or writing the field, or it stops further rules from running?

All the message pass through the same rule and doesn’t let other rules to work

Okay I have got the solution, I was trying to modify the default message field (Level)which was causing the data not to process, I have used the new field name and it has started working again.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.