Pipeline not adding new fields

dansta87 · April 3, 2023, 6:43am

1. Describe your incident:

Messages processed by newly created pipeline no longer appear in any searches or streams.

2. Describe your environment:

OS Information: Ubuntu 22 LTS
Package Version: Graylog 5.0.5 single-node

3. What steps have you already taken to try and solve the problem?

Tested multiple messages in the simulator - all pass and show correct new fields.
Checked the Message Processor Configuration as per other forum posts:

image784×255 11 KB
Tried searching all streams / messages, cannot locate affected messages.
Disable the pipeline allows the messages to flow correctly, so is a pipeline related issue.
Have double checked all rules / connections in the pipeline.
Pipeline rule below:

 rule "GeoIP lookup"
 when
   to_string($message.EventID) == "312"
 then
    let parsed = regex("(?:[0-9]{1,3}\\.){3}[0-9]{1,3}",to_string($message.full_message));
    let geo = lookup("geoip-lookup", parsed["0"]);
 
    set_field("src_ip_geo_location", geo["coordinates"]);
    set_field("src_ip_geo_country", geo["country"].iso_code);
    set_field("src_ip_geo_city", geo["city"].names.en);
 
 end

4. How can the community help?

I need help correctly configuring the pipeline to set the new fields with the information i need.

EDIT:
The rule above is double back-slashed, but seems to remove that when i post

Wine_Merchant · April 3, 2023, 8:18am

Hey @dansta87,

Can you see messages passing through the pipeline/rule and not failing, is there anything within the logs that would point to the issue.

Perhaps make use of debug to print the value of parsed[0].

drewmiranda-gl · April 3, 2023, 4:06pm

I’m curious if you have any Indexing or Processing failures on the ‘System / Overview’ page.

The pipeline rule doesn’t appear to be changing anything else to cause messages to disappear (such as timestamp). Its possible elasticsearch/OpenSearch is throwing index errors if its unable to store the data for a given field.

dansta87 · April 3, 2023, 11:09pm

Thank you for the reply.
It appears i am indeed getting index errors:

Not sure where the 1000 fields is coming from as the above pipeline is the only thing I have active.

dansta87 · April 4, 2023, 12:26am

I appreciate the replies as this helped me look in the right direction. I’ve split my indexes and modified my NXLog for Windows Event Log to be more precise and not just pull everything. I’ve also reduced my index rotation from 90 days to 30 days.

My index errors have stopped and the pipeline appears to be working now with messages being correctly modified with the new fields.

Thanks all

system · April 18, 2023, 12:26am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to reference fields in pipeline rules Graylog Central (peer support) pipeline-rules	4	435	February 17, 2021
Pipeline on new stream not working Graylog Central (peer support) pipeline-rules	3	2628	July 7, 2021
Geolocation 0 message error Graylog Central (peer support) pipeline-rules , debuggingpl	3	690	November 19, 2020
Pipeline problems Graylog Central (peer support) pipeline-rules , route-to-streampl	5	2186	March 2, 2018
Pipeline does'n work Graylog Central (peer support)	3	316	February 23, 2021

Pipeline not adding new fields

Related Topics