Pipelines for create new fields

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

*Hello to the community,
to anyone who can create the right configuration for pipelines that can create new fields - can you share this?) I’m new to this and I don’t understand how to create new fields using pipelines. I mean, I know the syntax in the code editor, but I don’t see any new fields.

also, could you share with me the correct configuration for the group? in this case, I need to know how to create fields with the ip address of the threat, I mean that in the traffic dump we see a legitimate HOME_NET and EXT_NET threat, which cannot be compared if we choose which one is definitely a threat

it may be necessary to create a rule according to which, if the ip is not in the specified array (it is not in the HOME_NET), then this is the ip address of the threat.

in any case, I will be glad to receive any information on my questions)

2. Describe your environment:

  • OS Information: redhat

  • Package Version: graylog 5.2

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

4. How can the community help?
sharing configs, or maybe anything else

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

This should be helpful: Set a new Field in graylog

Best to take it step by step. Show us what you have built and where you are blocked; then we can help you make progress.

2 Likes

ok thx,

u know i’ll tried this, i see at simulator new fileds, but i cant see new fields in stream

what i do wrong?

my source code look like this (i make this from generator via graylog and the convert to source code):

==========================================================

rule “geoip_for_ips”
when
contains(
value: to_string($message.“message”),
search: “src_ip=”,
ignore_case: false
)
OR
contains(
value: to_string($message.“message”),
search: “dest_ip=”,
ignore_case: false
)
then
let regex_pattern = “^.src_ip="([^"])"”;
let regex_results = regex(regex_pattern, to_string($message.“message”));
let gl2_fragment_extractor_1718682533598 = regex_results[“0”];
set_field(“ctGIPsrc”, gl2_fragment_extractor_1718682533598);
let output_1 = gl2_fragment_extractor_1718682533598;
let regex_pattern = “^.dest_ip="([^"])"”;
let regex_results = regex(regex_pattern, to_string($message.“message”));
let gl2_fragment_extractor_1718682533598 = regex_results[“0”];
set_field(“ctGIPdst”, gl2_fragment_extractor_1718682533598);
let output_2 = gl2_fragment_extractor_1718682533598;
end

==========================================================

in this case i search a words in a messages which contains “src_ip” or “dest_ip” and then i parse a values from this fields via regex

==========================================================

so i see a new fields in simulator, but i cant see them in a stream

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.