rule "Extract: Sonicwall Extraction"
when
has_field("source") AND contains(to_string($message.source), "192.168.1.1", true)
then
set_fields(
fields:key_value(
value:to_string($message.message),
//remove double quotes from keys and values
trim_value_chars:"\"",
trim_key_chars:"\""
)
);
end
Is the pipeline connected to the “Ridgeland SonicWall” stream?
In my application, I have my sonicwall only going into it’s own stream and not the Default Stream - not sure if that will make any difference or not, but might be worth a try if the pipeline is connected to the correct stream. Let me know if you want a screenshot of the pipeline connection, but it’s just below the “details” section. This is at the pipeline level and not the stage/rule level.
See if you can take the messages out of the default stream, so they are only in the sonicwall stream, and if that changes the behavior.
Ensure that you are looking at the most recent messages in search, and not an older message that may not have been processed (I know, obvious, but this was a stumbling block for me once, so I am throwing it out there)
Modify the rule to just write something for every message, so no “when” clause, just a set_field processed=true or something like that to try to isolate the error. Might be easier to make a new rule and move the rule in question to a later stage.