Pipeline doesn't work

Hi Guys,
I need to drop all the messages which contains a certain IP and i’ve wrote the following rule:
rule “False_Positive”
when
has_field(“message”) AND
contains(“192.168.1.78”,to_string($message.message))
then
drop_message();
end

the configuration is:
Processor Status
1 Message Filter Chain active
2 Pipeline Processor active
3 GeoIP Resolver active

Unfortunately nothing is happen and the logs which contains the above IP are still on my dashboard.
Any idea where the problem could be?
Thanks
Laurentiu

use debug() to see what is going on. For instance:

rule “False_Positive”
when
    has_field(“message”) AND
    contains(“192.168.1.78”,to_string($message.message))
then
    debug("-- Start of  FP THEN --");
    let izzittrue = concat("~~~IP was found: ", to_string(contains("192.168.2.182",to_string($message.message))));
    debug(izzittrue);
    debug($message.message);
    drop_message();
end

Monitor with:

tail -f /var/log/graylog-server/server.log

You may need to swap your parameters around, as per the documentation:

image816×340 13.3 KB

https://docs.graylog.org/en/latest/pages/pipelines/functions.html#contains

yes - swap is one option - the other - name the parameters…

contains(search: “192.168.1.78”, value:to_string($message.message))

It seems that this is the good solution. Thanks

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.