Pipelines not working

tomsi · April 26, 2022, 9:46am

Hello,

I want to summarize the Values of one field.
The use case is very simple, i receive Windows Event Logs with the field:
winlogbeat_winlog_event_data_TargetDomainName

Now, sometimes the Domain “abc” is used, and sometimes the FQDN: “abc.domain”.
We really dont care which one is getting used, so i want to transform the value “abc” to “abc.domain” in order to reduce noise.

I configured the following Pipeline rule:

rule "summarize domain"
when
    has_field("winlogbeat_winlog_event_data_TargetDomainName") &&
    contains("winlogbeat_winlog_event_data_TargetDomainName","abc")
then
    set_field("winlogbeat_winlog_event_data_TargetDomainName","abc.domain");
end

The Pipeline is connected to the stream where the Eventlogs land.
The Problem is that the rule apparently never matches and the values are not getting transformed.

What am i missing?

patrickmann · April 26, 2022, 11:53am

You are specifying a string value instead of a field name. I think it should be this:

has_field("winlogbeat_winlog_event_data_TargetDomainName") &&
contains(to_string($message.winlogbeat_winlog_event_data_TargetDomainName),"abc")

system · May 10, 2022, 11:54am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline Not Working Graylog Central (peer support) pipeline-rules , filebeat-windows	8	1132	October 18, 2022
Pipeline Rule + Regex Graylog Central (peer support) pipeline-rules	5	1571	May 17, 2022
Pipeline rule key/value with specific delimiter not working Graylog Central (peer support) pipeline-rules	3	647	September 21, 2023
Change Winlogbeat Field Names Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	5	2610	April 4, 2017
Testing Pipelines - Mines not working how do i test it? Graylog Central (peer support)	2	1907	June 19, 2020

Pipelines not working

Related topics