I am trying to set up a Pipeline decorator to find emails that created errors. I’m just searching the message field for a set of certain Known strings. Then IF they are present I try to set the filebeat_fields_type field to a preset string.
rule “is bad email”
when(
has_field(to_string($message.message))
&&
(
contains(to_string($message.message), “PeopleNullContactInfo”,true)
||
contains(to_string($message.message), “ContactInformationInvalidEmail”,true)
||
contains(to_string($message.message), “Could not send email”,true)
)
)
then
set_field(“filebeat_fields_type”, “bad email”);
end
But when I try to implement it nothing changes in the target field, am I just not looking in the right place, or am I doing something wrong in the rule coding?
I don’t know about using “AND” and “OR”, I use && and ||.
Here’s a sample where I have a combination of these looking at string variables
when
(
has_field("user_agent_original") ||
has_field("client_user_id") ||
has_field("url_path")
)
&&
(
to_string($message."user_agent_original") == "AMProbe/Local/ClientAccess" ||
contains(to_string($message."client_user_id"), "domain\\extest", true) ||
ends_with(to_string($message."url_path"), "healthcheck.htm", true) ||
)
then
drop_message();
end
In fact looking at your example more closely, I think you have the “contains” function the wrong way around - it’s contains([look in],[look for],[case sensitive?])