Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
Trying to use the rules and having issues with the ‘when’ portion of the statement returning true and proceeding, even if the ‘when’ condition returns true.
2. Describe your environment:
- OS Information:
- Ubuntu 22.10
- Package Version:
- Graylog 5.1.2+d970230
- Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
Running the following rule:
rule “cisco (4.1) - event routing”
when true
// lookup_has_value(“event-router-lookup-table”, $message.facility_message)
then
let has_value = lookup_has_value(“event-router-lookup-table”, $message.facility_message);
debug(has_value);
let stream = lookup_value(“event-router-lookup-table”, $message.facility_message);
debug(to_string(stream));
route_to_stream(name: to_string(stream), remove_from_default: true);
end
Looking in the debug logs I get:
2023-06-18T15:08:27.005Z INFO [Function] PIPELINE DEBUG: true
2023-06-18T15:08:27.006Z INFO [Function] PIPELINE DEBUG: Authentication Events
So I know I’m returning a value from the lookup, so a when should proceed as true and execute the ‘then’ part of the code.
When I change the when portion to read:
rule “cisco (4.1) - event routing”
when
lookup_has_value(“event-router-lookup-table”, $message.facility_message)
then
I never see debug messages.
4. How can the community help?
Any suggestions on what I’m doing wrong here.
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]