IP Address Check / Match

Hi,

I’m struggling a bit with a rule here - I have added it below (the when clause),

when
    $message.gl2_remote_ip == to_ip("192.168.2.6")
    OR to_string($message.gl2_remote_ip) == "192.168.2.6"

What’s confusing me is … when a message arrives, and gl2_remote_ip is matching (192.168.2.6) … the second check does work, but not the first. Does this make sense?

Thanks!

Hey,

The reason the first check is failing is because gl2_remote_ip isn’t actually stored as an IP address, rather it’s stored as a keyword/string. If you want to compare it to an ip object you need to convert it to an IP too: https://docs.graylog.org/en/3.2/pages/pipelines/rules.html

“… Note the call to to_ip around the gl2_remote_ip field reference. This is necessary since the field is stored as a string internally…”

Well, now that makes sense … LOL! So the second condition, no reason to need / use to_string(), right?

Thanks!