Pipeline rule - additional test within then clause


(Richard S. Westmoreland) #1

I have a rule that is capturing from the message and setting fields. Before setting each field, I want to validate the string. For example, if I capture an IP, I don’t want to set the field if the IP happens to be 127.0.0.1. Is there anyway to do this within the rule’s then clause? I don’t see any functions that allow additional comparison operators.


(Jan Doberstein) #2

Hej @rswestmoreland

you can use for example a rule like this:

when
   has_field("type") AND has_field("file") 
   AND to_string($message.type) == "nginx" 
   AND to_string($message.file) == 
     "/var/log/nginx/access.log"
then

to verify different conditions in a row. As you can have different conditions that might be the way to go.