search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.33k stars 1.05k forks source link

lookup table set_field fail for boolean field #8716

Closed GGlhavet closed 4 years ago

GGlhavet commented 4 years ago

Hello,

After a lookup rule with the maxmind geoip plugin certains fields are not displayed in the result.

The pipeline rule is the following : 

rule "function DNS_LOOKUP_HTTP"
when
    has_field("ip_source")
then
    let maxmind = lookup("maxmind-geo-ip-country", to_string($message.ip_source));
    set_field("maxmind_country_ip_", maxmind["traits"].ip_address);
    set_field("maxmind_country_proxy_", maxmind["traits"].is_anonymous_proxy);
end

The rule set the field maxmind_countryip in the result trap. But the line for the boolean type maxmind_countryproxy is not in the result trap.

When I try to fetch the second field with the to_bool operator I get the following error:

{
    "type": "mapper_parsing_exception",
    "reason": "failed to parse field [maxmind_traits] of type [boolean] in document with id 'f3f86bc1-d7c3-11ea-86da-022e0d76f643'",
    "caused_by": {
        "type": "i_o_exception",
        "reason": "Current token (START_OBJECT) not of boolean type\n at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@2e8cf0cc; line: 1, column: 1691]"
    }
}

Eventhough all the traits lines are defined in the maxmind object

{
    "country": {
        "confidence": null,
        "geoname_id": 3017382,
        "is_in_european_union": true,
        "iso_code": "FR",
        "names": {
            "de": "Frankreich",
            "ru": "Франция",
            "pt-BR": "França",
            "ja": "フランス共和国",
            "en": "France",
            "fr": "France",
            "zh-CN": "法国",
            "es": "Francia"
        }
    },
    "traits": {
        "autonomous_system_number": null,
        "autonomous_system_organization": null,
        "connection_type": null,
        "domain": null,
        "ip_address": "x.x.x.x",
        "is_anonymous": false,
        "is_anonymous_proxy": false,
        "is_anonymous_vpn": false,
        "is_hosting_provider": false,
        "is_legitimate_proxy": false,
        "is_public_proxy": false,
        "is_satellite_provider": false,
        "is_tor_exit_node": false,
        "isp": null,
        "organization": null,
        "user_type": null
    }
}

{ "type": "mapper_parsing_exception", "reason": "failed to parse field [maxmind_traits] of type [boolean] in document with id 'f3f86bc1-d7c3-11ea-86da-022e0d76f643'", "caused_by": { "type": "i_o_exception", "reason": "Current token (START_OBJECT) not of boolean type\n at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@2e8cf0cc; line: 1, column: 1691]" } }

So I write you to identify if my issue is a bug or a miss use of the maxmind plugin

florianpopp commented 4 years ago

We are using GitHub issues for tracking bugs in Graylog itself, but this doesn't look like one. Please post this issue to our discussion forum or join the #graylog channel on freenode IRC.

Thank you!

GGlhavet commented 4 years ago

Hello,

Thank you for your answer. I'll see in the forum for answers to my issue.

Regards