I have a rule that is capturing from the message and setting fields. Before setting each field, I want to validate the string. For example, if I capture an IP, I don’t want to set the field if the IP happens to be 127.0.0.1. Is there anyway to do this within the rule’s then clause? I don’t see any functions that allow additional comparison operators.
rswestmoreland (Richard S. Westmoreland) #1
jan (Jan Doberstein) #2
you can use for example a rule like this:
when has_field("type") AND has_field("file") AND to_string($message.type) == "nginx" AND to_string($message.file) == "/var/log/nginx/access.log" then
to verify different conditions in a row. As you can have different conditions that might be the way to go.