Slookup plugin, rule

Hi guys,

I have to create a query what check MID in the last 10 sec, and if found a same ID another log line, It will get back a three field (Rule, From, To).

I do not know why it is not working, yet It get back “null” value.

rule "MID_Rule"
when
    has_field("MID") AND $message.MID == slookup("5b72d9e9de6c337abbb9b3e6", "MID", "MID", ["MID"], "10", "desc")[0]
then
    let system_info = slookup("5b72d9e9de6c337abbb9b3e6", "source", "source", ["Rule","To","From"], "10", "desc");
    set_field("Riport_Rule", system_info[0]);
    set_field("Riport_To", to_string(system_info[1]));
    set_field("Riport_From", system_info[2]);
end

Basicially I used this post https://github.com/billmurrin/graylog-plugin-slookup-function/issues/9

Any idea?
Thanks

Heyo @_gh05st,

have you tried wrapping $message.MID in to_string() ?

Greetings,
Philipp

Hey @DerPhlipsi

has_field("MID") AND to_string($message.MID == slookup("5b72d9e9de6c337abbb9b3e6", "MID", "MID", ["MID"], "10", "desc")[0])

Like this?

has_field("MID") AND to_string($message.MID) == slookup("5b72d9e9de6c337abbb9b3e6", "MID", "MID", ["MID"], "10", "desc")[0]

I tried, but unfortunately it not worked

Have you checked if your slookup returns the correct value?

Maybe there is a type somewhere

Greetings,
Philipp

When It worked half, it look like this.

rule "MID"
when
     has_field("MID") AND to_string($message.MID) == slookup("5b72d9e9de6c337abbb9b3e6", "MID", "MID", ["MID"], "60", "desc")[0]
then
    let system_info = slookup("5b72d9e9de6c337accc9b3e6", "MID", "MID", ["MID","From","To"], "60", "desc");
    set_field("Riport_MID", system_info[0]);
    set_field("Riport_From", system_info[1]);
    set_field("Riport_To", to_string(system_info[2]));
end

It give me back the To value with MID.
I do not know why.

You use a 60 second range in your “half working” variant, in the new one you use 10 seconds. Is that intentional? I guess that could be the issue, that there is simply nothing matching the MID in the last 10 seconds.

Greetings,
Philipp

I used 60 second on both value when it is worked half, but it has to match because the timestamp is equal if the MID is the same.

Well, the same timestamp has nothing to do with Graylog having processed the message.

The slookup does a normal query like any other query that Graylog does. If the message hasn’t been indexed yet, it can’t be found by the slookup plugin.

For debugging:
Try this:

rule "MID"
when
     has_field("MID")
then
    set_field("PIPELINE_DEBUG", slookup("5b72d9e9de6c337abbb9b3e6", "MID", "MID", ["MID"], "60", "desc")[0]);
end

Let it run and see if the values from your MID and PIPELINE_DEBUG fields always match.
At least that is what I would do

Greetings,
Philipp

Thanks,

The result is,

Any idea?

This is what I meant with this:

Your slookup does not return anything. This either means that your stream id 5b72d9e9de6c337abbb9b3e6 is not the correct one, the other function parameter have a typo or the messages containing the info you want to lookup have not been indexed yet.

Greetings,
Philipp

Okay but the rule give me back the From value with 60 sec.
I modified the rule and set the timerange to 120 sec.
But nothing changed.

So it is working but It only give for me back the From value.

Any Idea?
Thanks,

Could you provide some example data so for testing?

Greetings,
Philipp

Sure,

From log:
<22>Sep 10 14:12:47 mail_logs: Info: MID 407700 ready 20522 bytes from beef@xyz.com
To log:
<22>Sep 10 14:12:47 mail_logs: Info: MID 407700 ICID 843020 RID 0 To: 1234@asdf.com

And If it will work fine, I would like to add a third field based on MID, which name is Rule.

Rule log:
<22>Sep 10 11:58:55 mail_logs: Info: MID 407705 was generated based on MID 407700 by notify filter ‘XYZ_Rule’

Thanks for your help,

Could you tested it?

Thanks,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.