Pipeline Rule not working - Source replace with grok

Aladine · July 8, 2021, 7:18pm

Thank you, I tried both your suggestions and the source is still showing up as the IPV6 address rather than the hostname. I feel like I’m doing something fundamentally wrong. My goal it to search the message and then replace the source with what I found in the message.

1st Recommendation:
GROK Pattern “FQDN” = “\s%{HOSTNAME}”

rule "FQDN to Source"
when
  has_field("message")
then
 let extract = grok(pattern: "%{FQDN}", value: to_string($message.source));
 set_fields(extract);
end

2nd recommendation:

rule "FQDN to Source"
when
  has_field("message")
then
 let extract = grok(pattern: "^/S %{HOSTNAME}", value: to_string($message.source));
 set_fields(extract);
end

Topic		Replies	Views
Solved: Problem with pipeline rule and grok pattern Graylog Central (peer support) pipeline-rules	6	3095	August 25, 2019
Replacing the Name in the Source Field Graylog Central (peer support)	6	6593	November 8, 2019
Grok in pipeline Graylog Central (peer support) pipeline-rules	9	3159	December 14, 2021
Pipeline rules problem Graylog Central (peer support) pipeline-rules	4	902	March 10, 2022
Need help with pipeline rule to replace source string Graylog Central (peer support) pipeline-rules	3	1680	May 3, 2019

Pipeline Rule not working - Source replace with grok

Related topics