graylog-plugin-pipeline-processor icon indicating copy to clipboard operation
graylog-plugin-pipeline-processor copied to clipboard

Published 20 hours ago verified publisher icon Graylog2

Error: WARN [EqualityExpression] left expression evaluated to null, returning false: $message.SourceUser

Open dennisoelkers opened this issue 8 years ago • 4 comments

From @urban-moniker on May 9, 2017 9:20

We are seeing the error shown below in our logs. As far as I can tell this started appearing 3 weeks ago, but am not sure what precipitated it as we are still testing and do not have formal change control around upgrades\changes etc:-

WARN [EqualityExpression] left expression evaluated to null, returning false: $message.SourceUser

I'm sure this is to do with one of our processing pipelines\extractors etc, but am not sure how to track the offending setting\entry down.

Can you give any pointers as to where we can look for additional information that could help me identify what is causing this?

Many Thanks

Copied from original issue: Graylog2/graylog2-server#3799

dennisoelkers avatar May 09 '17 09:05 dennisoelkers

Hey @urban-moniker,

thanks for reporting this. I am moving in to the correct repository?

Other than that, the error seems to come from here. I would guess that you have a pipeline rule, that is trying to evaluate $message.SourceUser while $message is null.

It looks like we need better output that is helping you to find the correct rule to fix.

dennisoelkers avatar May 09 '17 09:05 dennisoelkers

Thanks very much. I think the error must be coming from this rule - I assume that the highlighted line is not working as I expected, is there a better (correct!) way of ignoring a null value?

rule "Hash Source Username" when $message.SourceUser != "" then set_field("SourceUserHash", sha1(lowercase(to_string($message.SourceUser)))); end

urban-moniker avatar May 09 '17 10:05 urban-moniker

@urban-moniker I think adding a has_field('SourceUser') in front of that when condition should make this issue go away. The problem for the interpreter is that it cannot know if it should simply ignore the null value or if something is broken. In your case I guess it would be ok to simply treat the entire expression as false, but I don't think there's a generic way.

We could add implicit has_field checks for referenced message fields, I suppose, but I would need to think about that a bit to avoid useless checks all over the place that would heavily impact performance.

kroepke avatar May 09 '17 13:05 kroepke

Thanks very much.

urban-moniker avatar May 09 '17 16:05 urban-moniker