Pipeline set field when lookup field is not zero

I have a pipeline which uses a lookup table to lookup a field. Now when I set fields I only want those set when one of the fields of the lookup is not 0. How can I do this?

The pipeline:

rule "Enrichment - AlienVault OTX - IP Attribute Query"
when
   has_field("intel_src_ip")
then
   let ldata = lookup(
       lookup_table: "alienvault_query",
       key: to_string($message.intel_src_ip)
       );
   set_fields(
       fields: ldata,
       prefix: "alienvault_otx_"
       );
end

The field which is zero:
alienvault_otx_count: 0

Maybe one solution would be to create next pipeline stage which will run after previous one and remove fields where there is 0:

rule "Enrichment - AlienVault OTX - Remove 0"
when
   has_field("alienvault_otx_count") AND to_long("alienvault_otx_count") == 0
then
  remove_field("alienvault_otx_count")
end

Cool that works thanks! But I have an additional question, I want to add an extra field if one of the fields contains a specific word:

I am doing this:

rule "Enrichment - MISP - Add whitelisted field if in MISP whitelist"
when
   has_field("intel_misp") AND
   contains(to_string($message.misp_event_info),"whitelist")
then
   set_field("whitelisted","true");
end

The misp_event_info field contains:
[whitelist] Known IP addresses
But the field whitelisted isn’t being added.

Maybe check in which pipeline step do you run it. It should be run in higher step than field you use in condition was created. Or better use pipeline simulator to check if the step (pipeline rule) was run as you expected.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.