Pipeline rule - additional test within then clause

(Richard S. Westmoreland) #1

I have a rule that is capturing from the message and setting fields. Before setting each field, I want to validate the string. For example, if I capture an IP, I don’t want to set the field if the IP happens to be Is there anyway to do this within the rule’s then clause? I don’t see any functions that allow additional comparison operators.

(Jan Doberstein) #2

Hej @rswestmoreland

you can use for example a rule like this:

   has_field("type") AND has_field("file") 
   AND to_string($message.type) == "nginx" 
   AND to_string($message.file) == 

to verify different conditions in a row. As you can have different conditions that might be the way to go.