Rename message in pipeline

azamat.uzhangaliyev · October 5, 2018, 2:53pm

Hi everyone

I’m trying to rename a message inside of a field, I can successfully rename the field but not the message

rule “rename LogonType”
when
has_field(“LogonType”) AND contains(to_string($message.LogonType), “3”)
then
rename_field(“3”,“Network”);
end

Can you please help
Thank you!

megan201296 · October 5, 2018, 7:31pm

The rename field function cannot used to change field content. You will likely want to use a lookup table for your purpose. Here is an example: https://twitter.com/eric_capuano/status/1006326493998407680 . You would create a lookup table that correlates type to definition and then the pipeline would lookup and assign that value to a new field. Alternatively, you can use “set_field” and haev a rule for every logontype value. If you set the field logon type in the actions it’ll overwrite the “3” so:

rule “rename LogonType”
when
has_field(“LogonType”) AND contains(to_string($message.LogonType), “3”)
then
set_field(“LogonType”,“Network”);
end

azamat.uzhangaliyev · October 8, 2018, 1:48pm

Thank you so much for your reply:slightly_smiling_face:

system · October 22, 2018, 1:48pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rename fields "source to "DC_Name" Graylog Central (peer support)	3	804	December 20, 2022
How do you rename fields? Graylog Central (peer support) pipeline-rules , route-to-streampl	2	3489	January 3, 2019
How to rename nested field? Graylog Central (peer support) pipeline-rules	4	1555	July 23, 2020
Rename Multiple Fields Using Pipeline Rule Graylog Central (peer support) pipeline-rules	3	2052	May 10, 2019
Questions regarding pipeline processing / change field value of message Graylog Central (peer support)	3	3049	November 27, 2017

Rename message in pipeline

Related topics