I am trying to set up a Pipeline decorator to find emails that created errors. I’m just searching the message field for a set of certain Known strings. Then IF they are present I try to set the filebeat_fields_type field to a preset string.
rule “is bad email”
contains(to_string($message.message), “Could not send email”,true)
set_field(“filebeat_fields_type”, “bad email”);
But when I try to implement it nothing changes in the target field, am I just not looking in the right place, or am I doing something wrong in the rule coding?
the command words need to be upper case … the
OR for example.
I don’t know about using “AND” and “OR”, I use && and ||.
Here’s a sample where I have a combination of these looking at string variables
to_string($message."user_agent_original") == "AMProbe/Local/ClientAccess" ||
contains(to_string($message."client_user_id"), "domain\\extest", true) ||
ends_with(to_string($message."url_path"), "healthcheck.htm", true) ||
In fact looking at your example more closely, I think you have the “contains” function the wrong way around - it’s contains([look in],[look for],[case sensitive?])
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.