Unable to reference fields in pipeline rules


I am new to Graylog and have just set it up to import logs from Squid.

I am trying to set up a rule with a lookup table such that every message will convert the IP to a city name and store it in a field, I used this guide.

I was able to set up a lookup table just fine, but when I am creating the pipeline it seems that I can only reference the timestamp and source fields of a message, for example, this works:
let geo = to_string($message.timestamp);
set_field(“test”, geo);

but this doesn’t:
let geo = to_string($message.Client_Address);
set_field(“test”, geo);

Does anybody know why I can’t reference any field but the timestamp and source? Did I missconfigure the extractors?


It’s problem with processing order:

  • Check your processing order. Please move your Message Filter chain before Pipeline Processor.

Thanks! I changed the order on the configuration page but it still didn’t work. I ended up using the built-in plugin and it works, so I guess I will leave it for now.

I don’t think, that you use right code, if your purpose want to use geo ip lookup table.

You’ve used let geo = to_string($message.Client_Address);, but in example article, they use lookup function: let geo = lookup("geoip", to_string($message.Client_Address)));

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.