Hello Graylog-Community,
I want to add a new field if gl2_remote_ip matches with searched “value”.
If i simulate the process, the simulator says me, that the rule is not satisfied.
Follow the code…
rule "ugly becomes beautiful"
when
contains(to_string($message.gl2_remote_ip), "10.0.0.123")
then
let msg = "myhostname";
set_field("pfsense_filter_hostname", msg);
end
What’s wrong?
I do it like that:
contains(to_string($message.message),to_string(“(in)”))
Thank you for your answer.
I tested it with:
rule "ugly becomes beautiful"
when
contains(to_string($message.gl2_remote_ip), to_string("10.0.0.123"))
then
let msg = "OPNsense1";
set_field("pfsense_filter_hostname", msg);
end
But sadly the result is:
Evaluation not satisfied Rule ‘Ugly becomes beautiful’ (59fc4375762dda0001d84182) in Pipeline ‘Routers’ (59fc4e4f762dda00019a1d7a)
Tested on my cluster:
Evaluation satisfied Rule ‘ugly becomes beautiful’ (59fc5ed8eac6dd8739e62e09) in Pipeline ‘test’ (59a00c79eac6ddf4039326f9)
with:
contains(to_string($message.message), to_string(“1.2.3.4”))
Graylog 2.3.2+3df951e
Thank you so much! It works now.
I have now tested it with $message.message, as you described it.
Strangely enough, gl2_remote_ip doesn’t work.
Whatever… that doesn’t get in my head.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.