I am new to Graylog and have just set it up to import logs from Squid.
I am trying to set up a rule with a lookup table such that every message will convert the IP to a city name and store it in a field, I used this guide.
I was able to set up a lookup table just fine, but when I am creating the pipeline it seems that I can only reference the timestamp and source fields of a message, for example, this works:
let geo = to_string($message.timestamp);
set_field(“test”, geo);
but this doesn’t:
let geo = to_string($message.Client_Address);
set_field(“test”, geo);
Does anybody know why I can’t reference any field but the timestamp and source? Did I missconfigure the extractors?
Thanks! I changed the order on the configuration page but it still didn’t work. I ended up using the built-in plugin and it works, so I guess I will leave it for now.
I don’t think, that you use right code, if your purpose want to use geo ip lookup table.
You’ve used let geo = to_string($message.Client_Address);, but in example article, they use lookup function: let geo = lookup("geoip", to_string($message.Client_Address)));
