Closed frantz45 closed 1 year ago
frantz45
commented
3 years ago Graylog's community finds a nice solution and it's easy to implement:
rule "is_value_in_list"
when
regex("^(admin|root|toto|foo)$", $message.user).matches == true
then
set_field("user_in_list", "True");
end
c8y3
commented
2 years ago Rather, add "is in lookup" and "is not in lookup" as new options in the alert rule definition
frantz45
commented
1 year ago The new pipeline rule based on a lookup works well with no wrong results
The pipeline rule uses the following condition to check if a value is in the list: contains(to_string("wizard_lookup", "my_lookup", "")), to_string($message.fieldname), true) So the list is processed as a String which can lead to wrong results. For example if my list is "administrator; toto; root; foobar", and the value of "fieldname" is "admin". "admin" is included in administrator so the contains() function will return True, but it should have return False as "admin" isn't in the list.
I think you should create a function "is_value_in_list" (because it seems Graylog doesn't provide it) so we could do: is_value_in_list(to_string($message.fieldname), split(";", to_string("wizard_lookup", "my_lookup", "")))