Pipeline value to extract

zapa11 · October 4, 2023, 3:43pm

Hello guys,

I am trying to extract the values from here and add use them as ip enrichment. I am interested in “harmless, malicious and suspicious”.

“single_value”: “GOOGLE”,
“multi_value”: {
“harmless”: 65,
“malicious”: 3,
“suspicious”: 0,
“undetected”: 21,
“timeout”: 0
},
“string_list_value”: null,
“has_error”: false,
“ttl”: 9223372036854776000

My current pipeline rule is looking like this :

rule “ip check”
when true
then
let harmless = lookup (“virustotal-table” , $message.dstip);
set_field(“harmless_score” , harmless);
end

Please let me know what i am doing wrong, because is not working. I am receiving a null result.

Thank you.

frantz · October 10, 2023, 8:05am

Hello,
Try this:

rule "ip check"
when
  has_field("dstip")
then
  let virustotal = lookup (“virustotal-table” , to_string($message.dstip));
  set_fields(virustotal);
end

Or this:

rule "ip check"
when
  has_field("dstip")
then
  let virustotal = lookup (“virustotal-table” , to_string($message.dstip));
  set_field("harmless_score", virustotal.harmless);
  set_field("malicious_score", virustotal.malicious);
  set_field("suspicious_score", virustotal.suspicious);
end

If it doesn’t work, check for errors in server.log.

Ierlandfan · October 13, 2023, 4:51pm

Pretty much the same question only the (json) output is a little different:

{
“single_value”: true,
“multi_value”: {
“value”: [
true,
“+0123456789”,
“MOBILE”,
31,
“NL”,
“Netherlands”
]
},
“string_list_value”: [
“true”,
“+0123456789”,
“MOBILE”,
“31”,
“NL”,
“Netherlands”
],
“has_error”: false,
“ttl”: 9223372036854776000
}

rule “number lookup: dnid”

when

has_field(“dnid”)

then

let number_lookup = lookup(“phone_number_lookup”, to_string($message.dnid));

let type = to_string(number_lookup[“type”]);
let country = to_string(number_lookup[“country”]);
let country_code = to_string(number_lookup[“country_code”]);
let country_name = to_string(number_lookup[“country_name”]);

set_field(“DNID: country”, country);
set_field(“DNID: country_code”, country_code);
set_field(“DNID: country_name”, country_name);
set_field(“DNID: type”, type);
end

If i add “debug(lookup(“phone_number_lookup”, to_string($message.dnid))); "
It returns in logs this:
{value=[true,”+0123456789",“MOBILE”,01,“ZZ”,“Somewhere”]}
So the lookup works

How to get the correct values?

Ierlandfan · October 16, 2023, 11:38am

Answered my own question:

For anyone else: (It’s working now)

Here’s the original json output:
{“isValid”:true,“phoneNumber”:“+01234567890”,“type”:“MOBILE”,“country_code”:31,“country”:“NL”,“country_name”:“Netherlands”}

Single value in data adapter becomes:
$.isValid
Multi value becomes:
$
Now when testing the lookup reads:

{
“single_value”: true,
“multi_value”: {
“isValid”: true,
“phoneNumber”: “+1234567890”,
“type”: “MOBILE”,
“country_code”: 31,
“country”: “NL”,
“country_name”: “Netherlands”
},
“string_list_value”: null,
“has_error”: false,
“ttl”: 9223372036854776000
}

Now in pipelines I can do:
let country = to_string(number_lookup[“country”]);
set_field(“DNID_country”, country);

And works.

zapa11 · October 17, 2023, 7:15am

Hello,

Yes, worked. Thank you.

system · November 22, 2023, 8:00pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog Rules and Pipeline not working Graylog Central (peer support) pipeline-rules	1	524	April 26, 2018
Graylog pipeline: handling null values Graylog Central (peer support) pipeline-rules , key_value	1	100	March 25, 2024
Parsing pipeline ["values"] from multi-value result Graylog Central (peer support)	4	1018	February 8, 2018
Dead end in pipeline rules doing DNS TXT lookups Graylog Central (peer support) pipeline-rules	7	1142	March 9, 2022
Key:value extractor Graylog Central (peer support) pipeline-rules	3	1210	November 5, 2020

Pipeline value to extract

Related Topics