Hello,
in graylog is it possible to add to a source name a brief description?
For example i’ve got sources from 10.10.10.x and i’d like to give them description1.
I would like to have them searchable by “description1”
the source should be altered in 10.10.10.10_description1 or 10.10.10.9_description1.
Can I do it ? If yes how?
Kindest Regards
Hi @Hoygen
I would not recommend changing the Source field value, instead I would suggest creating a new field through a pipeline.
If I’m understanding what you’re saying, you’re wanting to add a Static description for specific hosts so, I’d suggest creating a lookup table (I personally use CSV files but, the choice is yours.)
Once you have your lookup table and it provides the descriptions you’re after for the hosts, you can create a pipeline rule to creating the description field.
Something similar to the below should do the trick:
rule "Add Source Description"
when
// You can specify criteria to match specific messages here
// For example, a specific set of source values
// You could also leave this blank to match all messages
then
let description = lookup_value("source-description-lookup",$message.source);
set_field("Source_Description", description);
end
Thanks.
hello and thank you, I’ll try that.
where do I put and reference the lookup table?
Is there some documentation on such procedure?
Hey @Hoygen ,
Documentation for Lookup tables can be found here:
http://docs.graylog.org/en/2.4/pages/lookuptables.html
Documentation for Pipelines can be found here:
http://docs.graylog.org/en/2.4/pages/pipelines.html
Thanks.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.