SLookup 2.0.0 - Multiple Return Fields

I'm happy to announce version 2.0.0 of the Stream Lookup (SLookup) Pipeline Processor Function for Graylog 2.3.2 and 2.4.0.

This release adds the following features:

• Ability to specify multiple return fields on a lookup (#5)

rule "Log Enrichment - Descending"
when
    has_field("winlogbeat_computer_name")
then
    //StreamID, Source Field, Destination Field, Return Field(s), Relative Time, Ascending SortOrder
    let system_info = slookup("5a5d8854315d00059dbea98f", "winlogbeat_computer_name", "computer_name", ["ip_address","operating_system","mac_address"], "300", "desc");
    set_field("ip_address", system_info[0]);
    set_field("operating_system", to_string(system_info[1]));
    set_field("mac_address", system_info[2]);
end

• Fixed escape issue with special Lucene characters (#6)
• The rtnFields parameter is now a List. If you have one return value, place it in brackets. E.g. ["ip_address"]

If you encounter any difficulties, have feature requests, etc., please file an Issue

v1.1.0 SLookup Enhancement - Sort Order

This incremental release adds the ability to sort the return field by timestamp in either ascending or descending order (Issue #1). This feature comes in handy if you have multiple records being returned during the query. Please see the README for examples of the sort order in action.

Please report an Issue if you are having issues or would like to request a feature be added to SLookup. Mahalo!

v1.0.0 Initial Release of Graylog2 SLookup PipeLine Processor Function

I am proud to announce the initial release of the Graylog2 SLookup PipeLine Processor Function. The goal of the function is to return a field from a remote stream if the remote stream's destination field matches the value of the source field. A use case and example function are provided in the README. v1.0.0 was tested and is compatible with Graylog 2.2.1. It is unknown if the plugin is compatible with earlier versions.