You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+25-7Lines changed: 25 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,37 +22,55 @@ Function Breakdown
22
22
23
23
Function | Description
24
24
-------- | -----------
25
-
slookup(stream, srcField, dstField, rtnField, timeRange) : String | Conduct a lookup in a remote stream and return a field value based on a matching source field. Similar to VLOOKUP in Excel
25
+
slookup(stream, srcField, dstField, rtnField, timeRange, sortOrder) : String | Conduct a lookup in a remote stream and return a field value based on a matching source field. Similar to VLOOKUP in Excel
26
26
27
27
Parameter | Type | Required | Description
28
28
--------- | ---- | -------- | -----------
29
29
stream | String | Y | The stream to look up the source field.
30
30
srcField | String | Y | The source field. The value to query for in the remote stream.
31
31
dstField | String | Y | The destination field that will be queried against.
32
32
rtnField | String | Y | The field to return if the query is successful.
33
-
timeRange | String | Y | Relative Time Range
33
+
timeRange | String | Y | Relative Time Range (Seconds)
34
+
sortOrder | String | Y | Timestamp sort order either "asc" or "desc".
34
35
35
36
Use Case and Rule Example
36
37
---
37
38
38
-
Below is a rule that was created to lookup the value of an IP address in order enrich Windows Event Log messages coming from WinLogBeat.
39
+
Below are example rules that were created to lookup the value of an IP address in order enrich Windows Event Log messages coming from WinLogBeat.
39
40
40
41
In this use case, the remote stream named Systems with stream_id 58aba0cb3cbe8205e76c6145 contains system information (IP, MAC, ComputerName). This could be a dump of Directory Service Computer Objects, a listing of NBTScan results, etc.
41
42
42
43
The slookup function constructs a search query using the value of winlogbeat_computer_name on the computer_name field (computer_name:VALUE_OF_FIELD). If the search is successful, the ip_address field is returned. The returned value can then be added to the current stream message in the pipeline.
43
44
45
+
The sortOrder parameter instructs the function to either return the oldest match (ascending), or the newest match (descending) if multiple records are found during the query.
46
+
44
47
```
45
-
rule "IP Lookup"
48
+
rule "IP Lookup - Ascending"
46
49
when
47
50
has_field("winlogbeat_computer_name")
48
51
then
49
-
//StreamID, Source Field, Destination Field, Return Field, Relative Time
50
-
let system_info = slookup("58aba0cb3cbe8205e76c6145", "winlogbeat_computer_name", "computer_name", "ip_address", "14400");
let system_info = slookup("58aba0cb3cbe8205e76c6145", "winlogbeat_computer_name", "computer_name", "ip_address", "14400", "asc");
51
54
set_field("ip_address", to_ip(system_info));
52
55
end
53
56
```
54
57
55
-
This function has only been tested in a limited setting. Its performance impact on large remote streams and very large relative data timeframes, remains unknown.
let system_info = slookup("58aba0cb3cbe8205e76c6145", "winlogbeat_computer_name", "computer_name", "ip_address", "14400", "desc");
65
+
set_field("ip_address", to_ip(system_info));
66
+
end
67
+
```
68
+
69
+
Additional Info
70
+
---
71
+
This function has been tested in a limited setting. Its performance impact on very large remote streams and very large relative data timeframes, remains unknown.
72
+
73
+
If you experience an ingestion slow-down enriching a large volume of data, you can attempt increasing *processbuffer_processors* in the graylog server.conf file.
56
74
57
75
More information about writing a Graylog2 processor pipeline function.
0 commit comments