I have a rule that is capturing from the message and setting fields. Before setting each field, I want to validate the string. For example, if I capture an IP, I don’t want to set the field if the IP happens to be 127.0.0.1. Is there anyway to do this within the rule’s then clause? I don’t see any functions that allow additional comparison operators.
Hej @rswestmoreland
you can use for example a rule like this:
when
has_field("type") AND has_field("file")
AND to_string($message.type) == "nginx"
AND to_string($message.file) ==
"/var/log/nginx/access.log"
then
to verify different conditions in a row. As you can have different conditions that might be the way to go.