Hello,
I’m using Graylog 2.4.3 and having an issue with my first go at messaging pipelines. I have messages (a lot) that are spread across multiple extractors and most of the fields are getting pulled in correctly. The issue is the ‘source’ field (it’s incorrectly extracting the first portion of the incorrectly formatted ‘syslog’ messages to the current year). So the ‘source’ for a lot of devices is just ‘2018.’
What I would like to do is not mess with updating all of the extractors to try and pull in the source correctly but use a messaging pipeline to just change the ‘source’ field to the value of the ‘hostname’ that gets extracted from the message. Example raw message:
authmgr[4107]: <132094> <4107> MIC failed in WPA2 Key Message 2 from Station 24:0d:c2:8d:cd:f1 ac:a3:1e:87:c2:01 HIL-AP-55
and this is what my pipeline rule looks like (it runs on the ‘all messages’ stream):
rule “change_aruba_hostname”
when
to_bool(regex(“\\d\\d\\d\\d”,to_string($message.source)).matches)
then
set_field(“source”,to_string($message.HOSTNAME));
end
HOSTNAME is the field that is getting populated by the extractor but this has not been applying to any messages where I would expect it to apply.
I’ve also tried without the ‘to_bool()’ function and tried something like this to no avail:
rule “change_aruba_hostname”
when
regex(“\\d\\d\\d\\d”,to_string($message.source)).matches == true
then
set_field(“source”,to_string($message.HOSTNAME));
end
Any help is greatly appreciated!
EDIT: added correct amount of '' slashes in my sample rule since this forum platform took one away as an escape character.