Pipeline rule to generate a Object field with obtained IPs (multi_value) for a QNAME, from a DNS LookUp Table

tmacgbay · April 13, 2020, 3:59pm

Use debug() to dump values out to the graylog log files. Maybe you are grabbing the quotes in the field data so DNS can’t work with it? You can see the results in the Graylog log file using

tail -f /var/log/graylog-server/server.log

ps. use the formatting tools in your posts to make the code/logs you post more readable… for instance the </> button will make

rule “Regla Pipeline - Windows DNS Server - SilkService - Lookup DNS QNAME - MultiIP”
when
has_field(“QNAME”) AND NOT contains(to_string($message.QNAME), “empresa.com”)
then
let multiIPs = lookup(“DNS_QNAME_IP”, to_string($message.QNAME));
set_field(“QNAME_IPs_Prueba”, multiIPs.results);
end

Look more like

rule "Regla Pipeline - Windows DNS Server - SilkService - Lookup DNS QNAME - MultiIP"
when
    has_field("QNAME") AND NOT contains(to_string($message.QNAME), "[empresa.com](http://empresa.com/)")
then
    let multiIPs = lookup("DNS_QNAME_IP", to_string($message.QNAME));
    set_field("QNAME_IPs_Prueba", multiIPs.results);
end

Topic		Replies	Views
Pipeline rule, multiple values using regex function, only possible to return value ["0"] Graylog Central (peer support) pipeline-rules , debuggingpl	2	2220	April 27, 2020
Pipeline hangup Graylog Central (peer support)	4	488	August 2, 2022
Parsing pipeline ["values"] from multi-value result Graylog Central (peer support)	4	1105	February 8, 2018
Pipeline value to extract Graylog Central (peer support) pipeline-rules	5	493	November 22, 2023
Search at json object field Graylog Central (peer support) pipeline-rules	6	4198	April 15, 2020

Pipeline rule to generate a Object field with obtained IPs (multi_value) for a QNAME, from a DNS LookUp Table

Related topics