Closed sojip closed 6 years ago
HI @sojip,
I'm sorry that you are experiencing issues with the plugin.
I don't think that the parenthesis around Nom_Compte
are required. Since it returns a List object, you can access the results using the index number (the first is 0).
Does something like this work?
when
has_field("Local_IP_Adress")
then
let Nom_Compte = slookup("5b3f46a29cf6501d418b123f", "Local_IP_Adress", "IpAddress", ["TargetUserName"], "300", "desc");
set_field("TargetUserName", Nom_Compte[0]);
end
If so, let me know, I think that the documentation example is missing the [0]
.
P.S. Your english is great! :-)
HI @billmurrin
I have the same result "No Match Found". Let me explain you what i want to achieve may be i'm doing things wrong. I have a stream that contain Router logs with Local_Ip_Adress and another one that contain system logs with Ip_Address and TargetUserName. So i want to make a pipeline rule so that when Local_Ip_Adress matches Ip_Address, it returns the TargetUserName associated to the IP. Please tell me if i'm doing things wrong. Thank you for your help
What is the stream id of the one that contains Local_Ip_Adress? Is it 5b3f46a29cf6501d418b123f
?
You have validated that the timestamps on the logs are within 300 seconds. (5 minutes).
Are there any extra spaces in either log that would make the IP addresses not line up?
If you do a search in the web interface for the field name on each stream, does it work?
For example, in stream 1:
Local_IP_Adress:10.0.0.1
And in stream 2:
Ip_Address:10.0.0.1
The Pipeline rule is applied to which stream?
hello. No 5b3f46a29cf6501d418b123f is the stream ID of the one that contains IpAddress and TargetUserName. There are not extra spaces in either log. when i make searches in the web interface for the field name on each stream its works. The pipeline rule is applied to the stream that contains Local_Ip_Adress. Am i missing something please ?
hello @billmurrin
You have validated that the timestamps on the logs are within 300 seconds. (5 minutes).// Yes that was my error. I finally fixed it. Thank you very much. I set the timestamps to 14400 and everything is OK now.
Hello. I'm a new in Graylog and sorry for my english. I don't speak it well. So i wrote this pipeline Rule:
when has_field("Local_IP_Adress") then let Nom_Compte = slookup("5b3f46a29cf6501d418b123f", "Local_IP_Adress", "IpAddress", ["TargetUserName"], "300", "desc"); set_field("TargetUserName", (Nom_Compte)); end
It returns me "No Match Found" while values inside the two fields "Local_IP_Adress" and "IPAddress" are the same. Can somebody helps me to fix this issue please?