Pipeline whoislookup Debug not workind

Hi,

I wrote simply these codes;

rule “whois_lookup”
when
is_not_null(“IP”)
then
let whois_lookup = whois_lookup_ip(to_string($message.IP), “src_addr”);
set_fields(whois_lookup);
debug(whois_lookup_ip(to_string($message.IP), “src_addr”));
end

I tested some IP on whois lookup tables page, that is work. On search page i have IP and src_addr fields, but in debug line i get this output:

2018-11-06T14:24:51.110+03:00 INFO [Function] PIPELINE DEBUG: Passed value is NULL.

so, this does not work for me.

Have you any idea about this?

the return if whoid_lookup_ip is a multi value field - the debug is not able to show that.

whois_lookup field is empty. how i do know if it works with debug?

You can go over to system/lookuptables/table/whois and make a test lookup if it is working - for testing.

That is work, but i want to add who is information on messages as a field:

My message record has IP field :

image.png1133×159 9.75 KB

For me the following rule is working:

rule "lookup whois"
when
	has_field("src_ip") AND
	is_ip(to_ip($message.src_ip) == true
then
	let wl = whois_lookup_ip(to_string($message.src_ip), "src_ip");
  	set_fields(wl);
 end

If your test is working too your processing pipeline might not be attached correct. The other option might be that your Graylog server is rate-limited by the whois systems.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.