Index error in pipeline rule

giveen · January 9, 2023, 6:27pm

I have this rule and it works but I’m also still getting errors with it, lol, despite it working

rule "ParseAndLookupMACVendor"
when
  has_field("source_mac")
then
  set_field("source_mac_vendor", "unknown");
  let s = split(":", to_string($message.source_mac));
  let prefix0 = concat(to_string(s[0]), ":");
  let prefix1 = concat(to_string(s[1]), ":");
  let macprefix0 = concat(to_string(prefix0), to_string(prefix1));
  let macprefix = concat(to_string(macprefix0), to_string(s[2]));
  let macvendor = lookup_value("mac-vendor-csv", macprefix);
  set_field("source_mac_vendor", macvendor);
end

Error:

(Error: In call to function 'to_string' at 8:23 an exception was thrown: index (1) must be less than size (1))

tmacgbay · January 9, 2023, 9:10pm

try putting quotes on your index numbers? Total guess…

EDIT: Don’t. I was wrong. Ignore that part.

  let prefix0 = concat(to_string(s["0"]), ":");
  let prefix1 = concat(to_string(s["1"]), ":");
...
  let macprefix = concat(to_string(macprefix0), to_string(s["2"]));

or… source_mac perhaps has something other than a MAC in it… You can put in:

debug(concat("+++ source_mac: ",to_string($message.source_mac)));

and watch the log files to see what your actual source_mac is coming across as.

tail -f /var/log/graylog-server/server.log

~or~

perhaps you can make sure you have a MAC in the when/then

rule "ParseAndLookupMACVendor"
when
  has_field("source_mac") &&
  regex ("^(?:(?:[0-9A-Fa-f]{2}(?=([-:]))(?:\1[0-9A-Fa-f]{2}){5}))$", to_string($message.source_mac)) == ""
then

giveen · January 9, 2023, 9:50pm

Yeah, annoying isn’t it?

Caused Expected type Long but found String when indexing and wouldnt let me save the rule.
Ran into issues with another rule I have that looks for randomized MAC’s.

tmacgbay · January 10, 2023, 3:31pm

Just ignore my unresearched and poor suggestion to put quotes in there. I don’t see anything wrong with how split() is being used - that suggests the error is because you have something other than a MAC coming in for source_mac If validating the MAC causes errors elsewhere… doesn’t that mean that you have non MAC things coming through that would cause an error here?

here is an alternative rule - grab the first 8 char, look them up, if they don’t exist default the result to “unknown” and set the field as such.

rule "ParseAndLookupMACVendor"
when
  has_field("source_mac")
then

  let macprefix = substring(to_string($message.source_mac),0,8);
  let macvendor = lookup_value("mac-vendor-csv", macprefix,"unknown");
  set_field("source_mac_vendor", macvendor);

end

giveen · January 10, 2023, 6:09pm

That worked so much better with my next rule was to test if the MAC was randomized or not.

I really appreciate your help.

tmacgbay · January 10, 2023, 7:11pm

Mark it as the answer for future searches! Hopefully they will ignore my previous bad advice!

system · January 24, 2023, 7:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help combing these rules Graylog Central (peer support) pipeline-rules	5	323	January 18, 2023
CSV Lookup error Graylog Central (peer support) pipeline-rules	5	613	October 6, 2020
Another try at pipeline rules Graylog Central (peer support) pipeline-rules , debuggingpl	5	1246	August 2, 2017
Indexer failures and regex with set_field in Pipeline 2 Graylog Central (peer support) pipeline-rules	18	1793	March 13, 2020
Index Error - mapper_parse_Exception Graylog Central (peer support)	1	826	January 19, 2018

Index error in pipeline rule

Related topics