Hi, so I have a regex extractor that populates a field called “packet_destination_port” based on the message, this works correctly.
I then want to have a pipeline rule that changes the “type” field to “failed_remote_session” if the destination port is 22, 80, 443, 3389 (in this example just port 22 for simplicity).
rule
"Type = failed_remote_session"
when
has_field("packet_destination_port") && to_long($message.packet_destination_port) == 22
then
set_field("type", "failed_remote_session");
end
However, when I simulate processing a message with the field packet_destination_port:22, it does not satisfy the rule requirements.
I think this is because the packet_destination_port is extracted as an object and it’s failing to convert the object to a long (number). I have tried adding a numeric converter to the extractor, I have tried using to_string and == “22” instead of long. I have tried creating a rule that stores the packet_destination_port field as a variable and re-sets the field as a long. No success.
Does anyone have any suggestions of how to get round this? Am I doing something wrong?
Thanks for asking in the community. What follows are guesses based on what you’ve posted. We have a lot of experienced practitioners in the community who also may want to post to help you out.
Is it possible that the data type of the “packet_destination_port” field is being extracted as an object, rather than a numeric value (string vs numeric)?
One thought is to use a pipeline processor to convert the “packet_destination_port” field from an object to a numeric value (e.g. long or int) before the pipeline rule is applied.
Or maybe use the to_string() function to convert the object to string, and then using == “22” instead of to_long().
You can try to check the data type of the field using type_of() function and take appropriate action accordingly.
Last, I’m thinking that maybe that there is an issue with the extractor configuration or the way the message is sent to Graylog.Double-checking these elements to ensure that the “packet_destination_port” field is being extracted correctly.
rule "failed_remote_session"
when
has_field("packet_destination_port") AND contains(to_string($message.packet_destination_port), "22")
then
set_field("failed_remote_session","batman");
end
Hi @gsmith and @dscyber, thankyou very much for your resonses!
Turns out I was just being stupid, I thought I had added a numeric converter to the extractor but I didn’t click “Add” before updating and closing the extractor. Now it is not extracting as an object type it can be converted into a string/long data type.
This might also be a dumb question, but does anyone know the reason objects cannot be converted into other data types?
In Java, every variable has a data type and stores a value of that type. Data types, or types for short, are divided into two categories: primitive and non-primitive. There are eight primitive types in Java: byte, short, int, long, float, double, boolean and char. These built-in types describe variables that store single values of a predefined format and size. Is this what your referring to?