Pipeline Rule not working as expected

Graylog Central (peer support)
1

Hi there,

in relation to this thread: Pipeline Grok Patterns, I want to parse ASA messages for different Grok Pattern.

Now I have something like this:

rule "asa"
when
    has_field("message")
then
    let message_field = to_string($message.message);
    let asa0 = grok(pattern: "%{CISCOFW104001}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW104002}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW104003}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW104004}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW105003}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW105004}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW105005}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW105008}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW105009}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106001}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106006_106007_106010}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106014}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106015}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106021}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106023}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106100_2_3}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106100}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW419002}", value: message_field, only_named_captures: true);
    let asa0 = grok(pattern: "%{CISCOFW106023}", value: message_field, only_named_captures: true);    
    set_fields(asa0);
end

The problem is, when using more than 1 grok, that always only the last Grok is working as expected. What could be the issue?

2

Looks like you overwrite asa0 each time you let something equal it. For this to work, you would have to set_fields() each time you let asa0 equal something.

1 Like
3

Thanks, now it´s working…

1 Like
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.