Exception when a split field is numeric

[frantz45]

The following exception happens if a split field is numeric:

2022-08-24T15:01:54.332+02:00 ERROR [JobExecutionEngine] Unhandled job execution error - trigger=63062141c0374e468fc277f5 job=63061df4c0374e468fc26f63
java.lang.ClassCastException: java.lang.Integer cannot be cast to java.lang.String
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.buildSplitFieldsSearchQuery(LoggingAlertUtils.java:144) ~[?:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.getMessagesUrl(LoggingAlertUtils.java:188) ~[?:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.getListOfLoggingAlertField(LoggingAlertUtils.java:217) ~[?:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlert.execute(LoggingAlert.java:94) ~[?:?]
        at org.graylog.events.notifications.EventNotificationExecutionJob.execute(EventNotificationExecutionJob.java:135) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.executeJob(JobExecutionEngine.java:166) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.lambda$handleTrigger$2(JobExecutionEngine.java:144) ~[graylog.jar:?]
        at com.codahale.metrics.Timer.time(Timer.java:151) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.handleTrigger(JobExecutionEngine.java:144) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.lambda$execute$0(JobExecutionEngine.java:119) ~[graylog.jar:?]
        at org.graylog.scheduler.worker.JobWorkerPool.lambda$execute$0(JobWorkerPool.java:110) ~[graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_262]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_262]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_262]

---

To reproduce this issue:

1. Create the following Logging Alert notification :

   Description:    Generated by the alert wizard
   Alert Severity: LOW
   Log Content:
   alert_id: ${logging_alert.id}
   alert_title: ${event_definition_title} - ${if backlog && backlog[0]}${backlog[0].fields.dest_port}${end}
   alert_description: 
   severity: ${logging_alert.severity}
   create_time: ${event.timestamp_processing}
   detect_time: ${logging_alert.detect_time}
   analyzer: graylog
   messages_url: ${logging_alert.messages_url}
   custom: 
   drilldown: P30M
   Split Fields:   dest_port
   Aggregation Time Range: 1440
   Alert Tag:  LoggingAlert
   Single Notification:    false

2. Create the following Event Definition:

   Aggregation Count Alert Condition
   Stream: 63061df4c0374e468fc26f5c
   Threshold Type: MORE
   Threshold:  9
   Search within:  2 minutes
   Execute search every:   2 minutes
   Grouping Fields:    dest_port
   Distinction Fields: No distinction fields for this condition.
   Comment:    Generated by the alert wizard
   Search Query:   *

3. Send some logs to trigger the rule (at least 10 logs):

   while true; do echo '<1>Aug 24 15:00:06 test006 json: {"dest_port": 1234}' | nc 127.0.0.1 2514; done

---

If the logs I send are not numeric it works well (no exception and the notification log is generated):

while true; do echo '<1>Aug 24 15:00:06 test006 json: {"dest_port": "1234"}' | nc 127.0.0.1 2514; done

I've checked the Elasticsearch index mapping and this field "dest_port" is a keyword and not a long:

curl 'https://elasticsearch:9200/graylog_0/_mapping/field/dest_port'
{"graylog_0":{"mappings":{"dest_port":{"full_name":"dest_port","mapping":{"dest_port":{"type":"keyword"}}}}}}

[c8y3]

Note: to reproduce, there must be a "Message Backlog" for the notification in the event definition.

[frantz45]

I confirm it's fixed in v4.1.2