Feature request: Pull multiple fields instead of just one

[deejross]

It would be nice if we could provide it a list of fields we want it to return, possibly as a separate function to maintain backwards compatibility. I have lookup data that has many fields for a single ID and I'm currently having to make multiple slookup calls to get them all.

[billmurrin]

@deejross. Sorry for the lack of response on your comment. I definitely think we can do this. Kind of been working on another project as of late and haven't had time to work on this or the next version just yet. :-)

[billmurrin]

@deejross - Incredibly sorry for the delay. Finally working this one into the codebase. Should be done soon.

[billmurrin]

Changes to support multiple return fields have been merged into develop branch. One more bug fix and will release version 2.0.0.

Here's an example of how it will work:

rule "Log Enrichment - Descending"
when
    has_field("winlogbeat_computer_name")
then
    //StreamID, Source Field, Destination Field, Return Field(s), Relative Time, Ascending SortOrder
    let system_info = slookup("5a5d8854315d00059dbea98f", "winlogbeat_computer_name", "computer_name", ["ip_address","operating_system","mac_address"], "300", "desc");
    set_field("ip_address", system_info[0]);
    set_field("operating_system", to_string(system_info[1]));
    set_field("mac_address", system_info[2]);
end

To return a single field, just surround it in a list:

slookup("5a5d8854315d00059dbea98f", "winlogbeat_computer_name", "computer_name", ["ip_address"], "300", "desc");