Pipeline Decorator not Implementing

I am trying to set up a Pipeline decorator to find emails that created errors. I’m just searching the message field for a set of certain Known strings. Then IF they are present I try to set the filebeat_fields_type field to a preset string.

rule “is bad email”
when(
has_field(to_string($message.message))
&&
(
contains(to_string($message.message), “PeopleNullContactInfo”,true)
||
contains(to_string($message.message), “ContactInformationInvalidEmail”,true)
||
contains(to_string($message.message), “Could not send email”,true)
)
)
then
set_field(“filebeat_fields_type”, “bad email”);
end

But when I try to implement it nothing changes in the target field, am I just not looking in the right place, or am I doing something wrong in the rule coding?

the command words need to be upper case … the OR for example.

I don’t know about using “AND” and “OR”, I use && and ||.

Here’s a sample where I have a combination of these looking at string variables

when
    (
		has_field("user_agent_original") || 
        has_field("client_user_id") ||
        has_field("url_path")
    )
    &&
    (
		to_string($message."user_agent_original") == "AMProbe/Local/ClientAccess" ||
        contains(to_string($message."client_user_id"), "domain\\extest", true) || 
        ends_with(to_string($message."url_path"), "healthcheck.htm", true) ||
    )
then
    drop_message();
end

In fact looking at your example more closely, I think you have the “contains” function the wrong way around - it’s contains([look in],[look for],[case sensitive?])

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.