I’m working on a pipeline rule on a Graylog 4 box that uses a lookup table to essentially convert an IP address to a fully-qualified hostname (FQDN). The actual lookup works perfectly but the result has a dot on the end. While this may be technically accurate from a DNS perspective, it’s not what I want. How do I remove the trailing dot so that “somehost.example.com.” to just “somehost.example.com”? I tried using regex and I couldn’t get it working.
Suggestions are very welcome!!!
Hello @jbailey
correct me if im wrong, you configured a pipeline rule to use a lookup table and there is a dot at the end of FQDN?
Does you pipeline look something similar to this?
rule " lookup: src_ip"
when
has_field("src_ip")
then
let fqdn_source = lookup("fqdn", to_string($message.src_ip));
set_field("src_name",fqdn_source);
end
If so, double check you lookup table config & csv file if your using that.
This is my rule:
rule "Security > TACACS Client"
when
has_field("tacacs_client")
then
let hostname = lookup_value("dns-lookup", to_string($message.tacacs_client));
set_field("tacacs_client_hostname", hostname);
end
I extract the IP from a log in an earlier processing stage. The lookup table does a reverse DNS lookup on the IP and grabs the FQDN, but adds a dot.
If you only want to remove the last letter of whatever string I can recommend the substring()-function
substring(value: string, start: long, [end: long])
Returns a substring of value starting at the start offset (zero-based indices), optionally ending at the end offset. Both offsets can be negative, indicating positions relative to the end of value.
Your rule could look like this:
rule "Security > TACACS Client"
when
has_field("tacacs_client")
then
let hostname = lookup_value("dns-lookup", to_string($message.tacacs_client));
hostname = substring(value:hostname, start:0, end:-1)
set_field("tacacs_client_hostname", hostname);
end
This is a great approach but the line as you had it threw errors in the rule editor.
This is what I have now – no errors, but its not setting the field either:
rule "Security > TACACS Client"
when
has_field("tacacs_client")
then
let hostname = lookup_value("dns-lookup", to_string($message.tacacs_client));
let hostname = substring(to_string(hostname), 0, -1);
set_field("tacacs_client_hostname", hostname);
end
your field tacacs_client is set properly, but the field tacacs_client_hostname is missing? Did you try to manualy test your value from tacacs_client in the lookuptable?
It’s working correctly now. My lookup table had been renamed and that naturally broke things. Now that I corrected that, the rule (with your suggested fix) is working as expected.
Thanks for the tip!
That sounds great. Please mark your solution for others 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.