I am trying to overwrite the “source” field with gl2_remote_ip but it seems this var is empty, or non-existent.
The rule I am using is:
rule "Set Source IP"
when has_field("message")
then
set_field("source_ip", to_string($message.gl2_remote_ip));
set_field("test", "yes");
end
The “test” field I am using as a check gets properly set but source_ip does not.
If I try to set the field “source_ip” with a fixed string, it is ok, it seems that $message.gl2_remote_ip cannot be used in this context.
On the “search” page if I look at the messages and enable the gl2_remote_ip field visibility, it is there and with the right value. I guess that means the input is ok.
So, on the search page I can see the message and the value gl2_remote_ip actually contains the message sender ip address. But in a rule the information is unavailable.
Debugged as follows:
rule "Set Source IP"
when has_field("message") then
set_field("source_ip", $message.gl2_remote_port);
set_field("test", "yes");
let debug_message = concat("message.full : ", to_string($message.full));
debug(debug_message);
let debug_message = concat("message.gl2_remote_ip : ", to_string($message.gl2_remote_ip));
debug(debug_message);
end
got this in the logs:
2018-02-13_10:22:08.80797 INFO [Function] PIPELINE DEBUG: message.full :
2018-02-13_10:22:08.81366 INFO [Function] PIPELINE DEBUG: message.gl2_remote_ip :