WHOIS Lookup Not Loading into fields


(Ayoola Ayooluwa) #1

I integrated the Whois plugin and the lookup table test worked pretty fine. Refer to the screenshot below:

Now, i created a rule for it to create a field and populate the field with the corresponding “single value” of the lookup result. Refer to the screenshot below for the rule:

The rule creates the field Src_WHOIS but the only value it holds is just “None” but it doesnt populate the field with the single value i desire to see.

Please, what am i doing wrong?

Thanks


(Ayoola Ayooluwa) #2


(Jochen) #3

What’s the exact name of the lookup table? It’s case-sensitive.
What’s the content of the “DstAddr” and “src_ip” fields of the messages? Again, they’re case-sensitive. Please provide some examples.

You can also use the debug() function or the pipeline simulator to find out what your functions are doing.


(Ayoola Ayooluwa) #4

@jochen

  1. The exact name of the lookup table is Whois. i feel the “None” shouldnt have worked in the first place if the name of the lookup table is wrong.

  2. the content of both the DstAddr and src_ip are destination addresses and source addresses respectively. It was an extractor i used in naming both fields and both are working fine.

  3. where do i run the debug() function please?


(Jochen) #5

You can add the debug() function to any rule to print the value of its argument in the logs of the Graylog node running the rule.


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.