Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
*Hello to the community,
to anyone who can create the right configuration for pipelines that can create new fields - can you share this?) I’m new to this and I don’t understand how to create new fields using pipelines. I mean, I know the syntax in the code editor, but I don’t see any new fields.
also, could you share with me the correct configuration for the group? in this case, I need to know how to create fields with the ip address of the threat, I mean that in the traffic dump we see a legitimate HOME_NET and EXT_NET threat, which cannot be compared if we choose which one is definitely a threat
it may be necessary to create a rule according to which, if the ip is not in the specified array (it is not in the HOME_NET), then this is the ip address of the threat.
in any case, I will be glad to receive any information on my questions)
2. Describe your environment:
OS Information: redhat
Package Version: graylog 5.2
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
4. How can the community help?
sharing configs, or maybe anything else
rule “geoip_for_ips”
when
contains(
value: to_string($message.“message”),
search: “src_ip=”,
ignore_case: false
)
OR
contains(
value: to_string($message.“message”),
search: “dest_ip=”,
ignore_case: false
)
then
let regex_pattern = “^.src_ip="([^"])"”;
let regex_results = regex(regex_pattern, to_string($message.“message”));
let gl2_fragment_extractor_1718682533598 = regex_results[“0”];
set_field(“ctGIPsrc”, gl2_fragment_extractor_1718682533598);
let output_1 = gl2_fragment_extractor_1718682533598;
let regex_pattern = “^.dest_ip="([^"])"”;
let regex_results = regex(regex_pattern, to_string($message.“message”));
let gl2_fragment_extractor_1718682533598 = regex_results[“0”];
set_field(“ctGIPdst”, gl2_fragment_extractor_1718682533598);
let output_2 = gl2_fragment_extractor_1718682533598;
end