WHOIS Lookup Not Loading into fields

I integrated the Whois plugin and the lookup table test worked pretty fine. Refer to the screenshot below:

Now, i created a rule for it to create a field and populate the field with the corresponding “single value” of the lookup result. Refer to the screenshot below for the rule:

image

The rule creates the field Src_WHOIS but the only value it holds is just “None” but it doesnt populate the field with the single value i desire to see.

Please, what am i doing wrong?

Thanks

What’s the exact name of the lookup table? It’s case-sensitive.
What’s the content of the “DstAddr” and “src_ip” fields of the messages? Again, they’re case-sensitive. Please provide some examples.

You can also use the debug() function or the pipeline simulator to find out what your functions are doing.

@jochen

  1. The exact name of the lookup table is Whois. i feel the “None” shouldnt have worked in the first place if the name of the lookup table is wrong.

  2. the content of both the DstAddr and src_ip are destination addresses and source addresses respectively. It was an extractor i used in naming both fields and both are working fine.

  3. where do i run the debug() function please?

You can add the debug() function to any rule to print the value of its argument in the logs of the Graylog node running the rule.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.