Feedback on combining message data for lookup

Hello, I’m really new to the Graylog scene and looking to accomplish what would essentially be a two part lookup.

To explain, when I receive an UPDOWN syslog message from a Cisco switch, I am using an extractor to place the port id (gi1/0/x) in a new message field I’ve called port_id.

I then want to take the switch’s IP and that port_id to do a lookup against a CSV table of switches and their port descriptors to create a new message field that will indicate the device connected to that port based upon the port descriptions I’ve pulled from the switches.

What would be the optimal way to go about this, in your opinion? We’re talking less than 2000 devices. My initial thought was examining pipeline rules to perhaps concat the message source IP with the port_id, and then take that combined value as the single key (and structure my CSV as “IP+Port_ID”;“Port Desc”) for lookup.

Any insight would be greatly appreciated.

Just following up that I ended up using the method I mentioned at the end to create a unique key for lookup. Plugging that into a pipeline with:

rule “PortLookup”
when
has_field(“port_id”)
then
let ipport = concat(to_string($message.source), concat(“GigabitEthernet”,to_string($message.port_id)));
let device = lookup_value(“interface_lookup”, ipport);
set_field(“device_name”, device);
end

Worked out great. Just had to remember to put the Pipeline Processor after the Message Filter Chain in System/Configurations.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.