Pipeline: check if a value is in a List

I don’t manage to check if a value is included in a List.
I get a List from the split function:
let my_list = split(";", “admin;root;toto;foo”);

Then I want to check if a value is contained in this list but I don’t find any function to do it.
And I think it’s not possible to do a for loop to walk through the list.

Please describe more in detail what you want to achive. Which graylog version do you use.

Graylog’s version is 3.3.8.
I have a HTTP JSONPath lookup.
I request this lookup in a pipeline rule with the lookup() function:

let value = lookup("my_lookup", "some_key");

The returned value is a list of values split by “;” (admin;toto;root;administrator…).
Then I want to check if a field’s value is included in this list.
For example I want to check if the value of the field “user” of a log is included in this list.
I’ve found the split() function to create a list from the string.

let my_list = split(";", “admin;root;toto;foo”);

But I don’t know how to check if the “user” field is included in this list.

The First solution I’ve though is a function which checks if the value is included in a list.
For example:

let in_list = is_value_in_list($message.user, my_list)

But I didn’t find any function like that.

If the function doesn’t exist I could resolve my problem with an algorithm like that:

in_list = False
for item in my_list:
    if $message.user == item:
        in_list = True
        set_field("user_in_list", True)

But I don’t know if we can do something like that in a pipeline rule.

Actually my solution is to use the contains() function:
contains(“admin;toto;root;foobar”, $message.user)
It works but it can lead to false positive.
For example:

contains("administrator;toto;root;foobar", "admin")

It will return True because “administrator” contains “admin”.

You could be successful with using lookup tables.

Maybe create new pipeline step with rule:

rule "is_value_in_list"
when
    regex("^(admin|root|toto|foo)$", $message.user).matches == true
then
    set_field("user_in_list", "True");
end
2 Likes

Thank you but that’s not my question

Thank you very much, I like this solution, it will do the job

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.