Skip to content

SLookup 2.0.0 - Multiple Return Fields

Latest
Latest
Compare
Choose a tag to compare
@billmurrin billmurrin released this 17 Jan 06:59
2.0.0
956825b

I'm happy to announce version 2.0.0 of the Stream Lookup (SLookup) Pipeline Processor Function for Graylog 2.3.2 and 2.4.0.

This release adds the following features:

  • Ability to specify multiple return fields on a lookup (#5)
rule "Log Enrichment - Descending"
when
    has_field("winlogbeat_computer_name")
then
    //StreamID, Source Field, Destination Field, Return Field(s), Relative Time, Ascending SortOrder
    let system_info = slookup("5a5d8854315d00059dbea98f", "winlogbeat_computer_name", "computer_name", ["ip_address","operating_system","mac_address"], "300", "desc");
    set_field("ip_address", system_info[0]);
    set_field("operating_system", to_string(system_info[1]));
    set_field("mac_address", system_info[2]);
end
  • Fixed escape issue with special Lucene characters (#6)
  • The rtnFields parameter is now a List. If you have one return value, place it in brackets. E.g. ["ip_address"]

If you encounter any difficulties, have feature requests, etc., please file an Issue

Assets 3