I am trying to create a single pipeline rule instead of multiple.
rule "AbuseIPDB Lookup"
when
has_field("src_ip")
OR
has_field("Snort_source_IP")
then
let abuseipdb = lookup("AbuseIPDB_Lookup", (to_string($message.src_ip)));
let abuseipdb = lookup("AbuseIPDB_Lookup", (to_string($message.Snort_source_IP)));
set_field("abuseConfidenceScore", abuseipdb["abuseConfidenceScore"]);
end
The issue is I have two different lookup fields where only one of the fields will exist. I am looking up from a lookup, but I am finding with the above, only one of the fields work based on what is last, not what is there. What would be a better way to write the section after THEN.
You should be able to use first_non_null function and that will turn the two fields into a single variable of just the one that isnt a null, and then run the lookup on that variable.
Great thank you. I am not sure if this is the best way to write it but it works:
rule "AbuseIPDB Lookup"
when
has_field("src_ip")
OR
has_field("Snort_source_IP")
then
let srcip = first_non_null ([$message.src_ip, $message.Snort_source_IP]);
let abuseipdb = lookup("AbuseIPDB_Lookup", to_string(srcip));
set_field("abuseConfidenceScore", abuseipdb["abuseConfidenceScore"]);
end
