Hello, I’m really new to the Graylog scene and looking to accomplish what would essentially be a two part lookup.
To explain, when I receive an UPDOWN syslog message from a Cisco switch, I am using an extractor to place the port id (gi1/0/x) in a new message field I’ve called port_id.
I then want to take the switch’s IP and that port_id to do a lookup against a CSV table of switches and their port descriptors to create a new message field that will indicate the device connected to that port based upon the port descriptions I’ve pulled from the switches.
What would be the optimal way to go about this, in your opinion? We’re talking less than 2000 devices. My initial thought was examining pipeline rules to perhaps concat the message source IP with the port_id, and then take that combined value as the single key (and structure my CSV as “IP+Port_ID”;“Port Desc”) for lookup.
Any insight would be greatly appreciated.