I’m trying to figure out this pipeline feature for the purpose of dropping some messages that I simply do not care about. Basically, I’m looking to do blacklisting. In order to do that filtering, I am looking for the existence of specific fields that would be created by an extractor. When I go to the pipeline simulator and paste in a copy of the raw message, select a Message input, it doesn’t seem to run that message through any extractor.
What am I missing here?
I am using the “All messages” stream.
The rule that I am trying to use is:
rule “has firewall fields”
has_field(“FW_Src_IPv4”) && has_field(“FW_Dst_IPv4”)