Return "No Match Found" while values are similar

billmurrin / graylog-plugin-slookup-function

Stream Lookup function for GrayLog2 Pipeline Processor

GNU General Public License v3.0

14 stars 4 forks source link

Return "No Match Found" while values are similar #10

Closed sojip closed 6 years ago

sojip commented 6 years ago

Hello. I'm a new in Graylog and sorry for my english. I don't speak it well. So i wrote this pipeline Rule:

when has_field("Local_IP_Adress") then let Nom_Compte = slookup("5b3f46a29cf6501d418b123f", "Local_IP_Adress", "IpAddress", ["TargetUserName"], "300", "desc"); set_field("TargetUserName", (Nom_Compte)); end

It returns me "No Match Found" while values inside the two fields "Local_IP_Adress" and "IPAddress" are the same. Can somebody helps me to fix this issue please?

billmurrin commented 6 years ago

HI @sojip,

I'm sorry that you are experiencing issues with the plugin.

I don't think that the parenthesis around Nom_Compte are required. Since it returns a List object, you can access the results using the index number (the first is 0).

Does something like this work?

when
has_field("Local_IP_Adress")
then
let Nom_Compte = slookup("5b3f46a29cf6501d418b123f", "Local_IP_Adress", "IpAddress", ["TargetUserName"], "300", "desc");
set_field("TargetUserName", Nom_Compte[0]);
end

If so, let me know, I think that the documentation example is missing the [0].

P.S. Your english is great! :-)

sojip commented 6 years ago

HI @billmurrin

I have the same result "No Match Found". Let me explain you what i want to achieve may be i'm doing things wrong. I have a stream that contain Router logs with Local_Ip_Adress and another one that contain system logs with Ip_Address and TargetUserName. So i want to make a pipeline rule so that when Local_Ip_Adress matches Ip_Address, it returns the TargetUserName associated to the IP. Please tell me if i'm doing things wrong. Thank you for your help

billmurrin commented 6 years ago

What is the stream id of the one that contains Local_Ip_Adress? Is it 5b3f46a29cf6501d418b123f?

You have validated that the timestamps on the logs are within 300 seconds. (5 minutes).

Are there any extra spaces in either log that would make the IP addresses not line up?

If you do a search in the web interface for the field name on each stream, does it work?

For example, in stream 1:

Local_IP_Adress:10.0.0.1

And in stream 2:

Ip_Address:10.0.0.1

The Pipeline rule is applied to which stream?

sojip commented 6 years ago

hello. No 5b3f46a29cf6501d418b123f is the stream ID of the one that contains IpAddress and TargetUserName. There are not extra spaces in either log. when i make searches in the web interface for the field name on each stream its works. The pipeline rule is applied to the stream that contains Local_Ip_Adress. Am i missing something please ?

sojip commented 6 years ago

hello @billmurrin

You have validated that the timestamps on the logs are within 300 seconds. (5 minutes).// Yes that was my error. I finally fixed it. Thank you very much. I set the timestamps to 14400 and everything is OK now.