Pipeline rule with geo lookup and possible empty array


I am trying to setup a pipeline rule to get some additional geo information, as described in http://docs.graylog.org/en/3.0/pages/geolocation.html#.
The problem I am facing is that part of the result of the lookup can be empty.
In the below code for the rule setting the country code works fine, but the fields which depend on the subdivisions object can lead to the error

"For rule 'rule geoip lookup': In call to function 'set_field' at 7:2 an exception was thrown: Index: 0, Size: 0".

This happens because the subdivisions object is sometimes empty, for instance:

"country": {
  "confidence": null,
  "geoname_id": 1605651,
  "is_in_european_union": false,
  "iso_code": "TH",
  "names": {
    "de": "Thailand",
    "ru": "Тайланд",
    "pt-BR": "Tailândia",
    "ja": "タイ王国",
    "en": "Thailand",
    "fr": "Thaïlande",
    "zh-CN": "泰国",
    "es": "Tailandia"
"subdivisions": []

Code for the rule:

rule "rule geoip subdivision lookup"
  let geo = lookup("geoip-lookup", to_string($message.IP));

  set_field("IP_country_code", geo["country"].iso_code);
  set_field("IP_region_code", geo["subdivisions"].[0].iso_code);
  set_field("IP_region_name", geo["subdivisions"].[0].names.en);

How can I only set the fiels IP_region_code and IP_region_name, when the array is not empty? Is it possible to use the functions “is_list” or “is_null”/“is_not_null” for this?

it would be a nice feature request to fail not that hard if that happens - or provide the option to write the field only if not empty.

Is there any solution to the problem or is it currently just not possible?

to write my previous message in other words:

no it is not possible, but you could write a feature request over at github that it will be implemented.

Created an issue: https://github.com/Graylog2/graylog2-server/issues/5911

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.