Hi,
Thanks for GrayLog! I’m trying to do the GeoIP rules to add the geo fields to my data. Followed the tutorial blog post (How to Set Up Graylog GeoIP Configuration | Graylog) and all seemed well after fixing some quotes issues. But in my pipeline rules it seems that when I setup this rule it cannot parse data out of the feilds in the message. Here is my code:
rule “GeoIP lookup: src”
when
has_field(“src”)
then
let ipAddy = to_string($message.domain);
debug(concat("IP Addy: ", ipAddy));
let geo = lookup(“geoip”, to_string($message.src));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
let debug_message = concat("GeoIP from IP ", to_string($message.src));
debug(debug_message);
end
What happens is the message$.src does not really exist since it fails the test and never runs the code. If I cheat and change the field to test for to “message” I can force the code to run but essentially message$.src is always blank (no value)
Here is what shows in my search when I look at the messages coming in from my appliance:
In search I can use the fieldnames to search no issue but in my rule no values…
I followed the instructions to install my server from the official docs on Centos7 and it seems like all works well, (version 4 of graylag and all recommended versions of ES and mogo).
Where should I check next? Thanks in advance.