Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
i can’t rename SNMP UDP input fields after translate them with MIBs files
2. Describe your environment:
OS Information:
Ubuntu 18.04.3
Package Version:
Graylog 3.1.3
Service logs, configurations, and environment variables:
SNMP UDP input
3. What steps have you already taken to try and solve the problem?
rule "rename_field"
when
has_field("snmp_1_3_6_1_4_1_2011_2_15_1_7_1_1_0") AND
contains(to_string($message.gl2_source_input), "62161baa49885931b58ba41f", true)
then
rename_field("snmp_1_3_6_1_4_1_2011_2_15_1_7_1_1_0","alarm_source");
end
or
rule "rename_field"
when
has_field("snmp_1_3_6_1_4_1_2011_2_15_1_7_1_1_0") AND contains(to_string($message.gl2_source_input), "62161baa49885931b58ba41f", true)
the
let alarm_source = to_string($message.snmp_1_3_6_1_4_1_2011_2_15_1_7_1_1_0);
set_field("alarm_source", alarm_source);
Are you sure the message has a gl2_source_input field? Also, it always helps if you post the original message… and use the </> tool around code to make it readable… (I did </> for you)
You could use the debug() function to figure out what is going on in your rule:
rule "rename_field"
when
has_field("snmp_1_3_6_1_4_1_2011_2_15_1_7_1_1_0") AND
contains(to_string($message.gl2_source_input), "62161baa49885931b58ba41f", true)
then
debug("==================================================================================================================");
debug(concat("++++ my gl2 field should have 62161baa49885931b58ba41f in it: ",to_string($message.gl2_source_input)));
debug(concat("++++ my snmp field contains: ",to_string($message.snmp_1_3_6_1_4_1_2011_2_15_1_7_1_1_0)));
//
rename_field("snmp_1_3_6_1_4_1_2011_2_15_1_7_1_1_0","alarm_source");
//
debug(concat("++++ my NEW field contains: ",to_string($message.alarm_source)));
debug("==================================================================================================================");
end
by debug our rule we found as below that the message went to pipeline before translating with their MIBs
2022-03-13T13:15:02.385+02:00 INFO [Function] PIPELINE DEBUG: ==================================================================================================================
2022-03-13T13:15:02.385+02:00 INFO [Function] PIPELINE DEBUG: ++++ my gl2 field should have 62161baa49885931b58ba41f in it: 62161baa49885931b58ba41f
2022-03-13T13:15:02.385+02:00 INFO [Function] PIPELINE DEBUG: ++++ my snmp field contains:
2022-03-13T13:15:02.385+02:00 INFO [Function] PIPELINE DEBUG: ++++ my NEW field contains:
2022-03-13T13:15:02.385+02:00 INFO [Function] PIPELINE DEBUG: ==================================================================================================================
by the way our Message Processors Configuration is as below:
OK, not the answer, I had thought “many thanks” meant it was. It is not clear to me what you are explaining. I don’t know what pipeline you are speaking of, the one with the rule or another one? If the fields are not there in the debug rule I posted then either it is not there at that point and you need to shift your change field rules somewhere else or figure out why those fields not there. I do not know anything about the flow of your data, what it looks like coming in or what is actually in the message until you post it.
