I’m struggling a bit with a rule here - I have added it below (the when clause),
when
$message.gl2_remote_ip == to_ip("192.168.2.6")
OR to_string($message.gl2_remote_ip) == "192.168.2.6"
What’s confusing me is … when a message arrives, and gl2_remote_ip is matching (192.168.2.6) … the second check does work, but not the first. Does this make sense?
The reason the first check is failing is because gl2_remote_ip isn’t actually stored as an IP address, rather it’s stored as a keyword/string. If you want to compare it to an ip object you need to convert it to an IP too: https://docs.graylog.org/en/3.2/pages/pipelines/rules.html
“… Note the call to to_ip around the gl2_remote_ip field reference. This is necessary since the field is stored as a string internally…”