I am trying to implement these rules one at a time but it does not appear like anything is being done. I am showing 0 messages being processed:
rule "Extract: Sonicwall Extraction"
when
has_field("source") AND contains(to_string($message.source), "192.168.1.1", true)
then
set_fields(
fields:key_value(
value:to_string($message.message),
//remove double quotes from keys and values
trim_value_chars:"\"",
trim_key_chars:"\""
)
);
end
Screenshot does not show it but it’s tied to the correct stream.
Message from stream: