Hi Guys,
I would like to create a pipleni what combinate two fields to the another.
But I do not know why it is not working…
Pls help,
rule “Rule”
when
has_field(“Rule”) AND has_field(“MID”)
then
let part_MID = concat(to_string($message.MID),to_string(" ("));
let part_Rule = concat(to_string($message.Rule),to_string(")"));
let Riport = concat(part_MID,part_Rule);
set_field(“Riport”,Riport);
end
you can find a working sample in the documentation:
http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#concat
you might need to escape some characters or provide more information.
HI,
Thanks, I solved it half…
rule “Combine src and dst field”
when
has_field(“source”) && has_field(“level”)
then
let src_ip_comma = concat(to_string($message.source), “-”);
let src_dst = concat(src_ip_comma,to_string($message.level));
set_field(field:“src_dst_ip”, value: src_dst);
end
Like this, but if the value is not IP it is not working…any idea?
Thanks
I modified like this, but not working…and I do not why.
Any Idea?
rule “Combine src and dst field”
when
has_field(“From”) && has_field(“MID”)
then
let src_ip_comma = concat(to_string($message.From), “-”);
//From is an email address
let src_dst = concat(src_ip_comma,to_string($message.MID));
//MID is a Mail ID, 6 number , 888888
set_field(field:“src_dst_ip”, value: src_dst);
end
Here is my working version:
rule “URL”
when
has_field(“Domain”) && has_field(“Path”)
then
let URL = concat(to_string($message.Domain), to_string($message.Path));
set_field(“URL”, URL);
end
If the fileds you are concatenating are created by Graylog, please ensure that “Pipeline Processor” comes after “Message Filter Chain” in this config.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
