please use a proper formatting in your postings: https://community.graylog.org/faq#format-markdown
This will make everything more readable.
rule "ASA_Lookup_Hostnames"
when
has_field("source")
then
let mutatehost = lookup_value("asa-hostname-lookuptable", $message.source);
set_field("ASA_Host", mutatehost);
end
the above is (similar) working for me as you can see in this posting: https://jalogisch.de/2018/working-with-cisco-asa-nexus-on-graylog/
if i use “lookup_value” it doesn’t create the new field “ASA_Host”, if i delete “_value” and leave only “lookup” i will have the same output as before 
Check the difference from the docs:
http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#lookup
And the Lookup Docs: http://docs.graylog.org/en/2.4/pages/lookuptables.html#pipeline-rules
more than this when i have the lookup_value, i get this error “{“type”:“mapper_parsing_exception”,“reason”:“object mapping for [ASA_host] tried to parse field [ASA_host] as object, but found a concrete value”}”
you should rotate the index - or change the field name. Elasticsearch has guessed the type of this field.
i just have to say that you are the man, also tried it last night a couple of times, but nothing was showing, and i had no idea bout it.
once again many many thanks for the support Jan.
have a nice week-end man.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.