I’m trying to combine two grok fields to a single field.
Example: Currently my grok extractors has field “src_ip” and “dst_ip”. Now I want to use the pipeline rules to combine both the field src_ip and dst_ip to a single field with name “src_dst_ip”.
How do I achieve this with pipeline rules? , Please post me the example.rule creation.Thanks
I’m trying with the below rule in the pipeline and it does not show in a search field.
rule "Combine src and dst field"
when
has_field("$message.src_ip") && has_field("$message.dst_ip")
then
let src_dst_ip = concat( "$message.src_ip" , "$message.dst_ip" ) ;
end
rule "Combine src and dst field"
when
has_field("$message.src_ip") && has_field("$message.dst_ip")
then
let src_dst_ip = concat( "$message.src_ip", " , ", "$message.dst_ip" ) ;
set_field(field:"src_dst_ip", value: src_dst_ip)";
end
Explanation:
I added " , " because this will add the comma you stated above (src_dst_ip = 192.168.1.1 , 10.1.1.1) let src_dst_ip = concat( "$message.src_ip", " , ", "$message.dst_ip" ) ;
This will add a field to the message named src_dst_ip with the value in the variable src_dst_ip. set_field(field:"src_dst_ip", value: src_dst_ip)";
I have applied the pipeline rules as shown below, but this is not showing in my search field. Do I need to make any additional configurations? I have followed the exact steps mentioned in the below link
Did you attach the rule to a pipeline, that is attached to a stream that the messages in question are running through? If yes, can you look inside the Graylog Interface under Indexer errors and the Graylog Logfile for errors? And post them if some occurred?
rule "Combine src and dst field"
when
has_field(“src_ip”) && has_field(“dst_ip”)
then
let src_ip_comma = concat(to_string($message.src_ip), “-”);
let src_dst = concat(src_ip_comma,to_string($message.dst_ip));
set_field(field:“src_dst_ip”, value: src_dst);
end