to_double is actually really simple - it will take either a string or number. It only returns the default if the value is null.
I think you have uncovered a bizarre bug. Doing some testing I found that when the new field name is an existing numeric field name with _converted appended, it does not get processed correctly.
Try renaming the new field to something else.bug on this. I also requested better documentation.
On a side note: The function parser is a bit strange with regard to field names. It requires additional escaping when the name has a dash (but it didn’t help in your example):
opened 12:07PM - 05 Sep 19 UTC
closed 11:22AM - 27 Nov 19 UTC
needs-input
bug
triaged
There are fields auto-generated by a kv-value based rule therefore the field nam… es are generated by this rule.
There several field names including a dash or multiple dashes. If i want to work with them as reference for field in pipeline rules graylog is not accepting them cause it interprets the dash separated values as variables.
## Expected Behavior
```
rule "ise grok cisco_client_mac from field cise_Acct-Session-Id"
when
has_field("cise_Acct-Session-Id") // is working fine
then
set_fields(grok(
pattern: "%{SOMEPATTERN}",
value: to_string($message.cise_Acct-Session-Id),
only_named_captures: true
)
);
end
```
## Current Behavior
The rule interpreter not accept the field reference and throws following errors:
Undeclared Variable Session in line 7 pos 50
Undeclared Variable Id in line 7 pos 58
## Possible Solution/Workarround
Use trim function vor keys in kv_value function to remove dashes.
## Steps to Reproduce (for bugs)
1. Create a field named cise_Acct-Session-Id or foo_bar-basel
2. try to use this fild in a pipeline function
3.
4.
## Context
There are fields auto-generated by a kv-value based rule therefore the field names are generated by this rule.
There several field names including a dash or multiple dashes. If i want to work with them as reference for field in pipeline rules graylog is not accepting them cause it interprets the dash separated values as variables.
## Your Environment
* Graylog Version:
3.1.0+aa5175e, codename Quantum Dog
* JVM:
PID 25565, Oracle Corporation 1.8.0_222 on Linux 4.9.0-8-amd64
* Elasticsearch Version:
6.8.1
* MongoDB Version: 4.0
* Operating System:
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
* Browser version:
Firefox Quantum 60.8.0esr (64-Bit)
2 Likes
