HI Team,
I am trying to drop_message (); when packetbeat_client_ip == 192.168.10.2. Below is my rule and pipeline. However I see that pipeline is not working as expected.
Can someone please help?
when
has_field("packetbeat_client_ip") && $message.packetbeat_client_ip == "192.168.10.2"
then
drop_message();
end
Do you guys see any issue in this?
Try using to_string or to_ip for the match.
Depending on how elastic populated that field you may have to force the type on your search. I could be wrong but I’ve definitely had to do that in the past.
he @blason
the second part of the when condition is
$message.packetbeat_client_ip == "192.168.10.2"
You compare data with no data-type ( $message.packetbeat_client_ip) with a string ( "192.168.10.2"). The solution would be to make it both a string
to_string($message.packetbeat_client_ip) == "192.168.10.2"
as suggested by @BlueTeamNinja
I see that was the part I missed thanks for letting me know that.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.