GrayLog Stream Lookup (SLookup) Pipeline Processor function

dscryber · February 24, 2022, 1:32am

Plugin SLookup 2.0.0 - Multiple Return Fields

Stream Lookup function for GrayLog2 Pipeline Processor

SLookup facilitates the lookup of a local stream’s field value on a remote stream field, and if it matches, returns the requested fields for enrichment in the source stream.

For example, say there are two streams, one contains some http logs with source IPs (E.g. src_ip ) from internal hosts and the other stream contains information about the systems on the network such as IP address (E.g. ip_address ), computer name (E.g. computer_name ), MAC address (E.g. mac_address ), OU, make/model, etc.

In the example above, you might want to return the computer_name and mac_address fields where the value of src_ip matches ip_address .

The thought behind this function is to implement a similar functionality to the VLOOKUP function in Excel.

With features like index sets being introduced in Graylog 2.x, it is possible to use data in one stream to enrich data in another with Pipeline Processor rules.

Version 2.0.0 tested to work with Graylog 2.3.2 and 2.4.0

inventor96 · May 17, 2022, 6:34pm

Github user jimzz2live created a fork of this project that adds support for Graylog 4.1. See his releases here: Releases · jimzz2live/graylog-plugin-slookup-function · GitHub

dscryber · May 18, 2022, 8:23pm

Thanks for heads up, @inventor96!

In the New Marketplace community, I’d like to welcome Github user jimzz2live to contact me at david.sciuto@graylog.com to help highlight the added support feature.

giveen · January 13, 2023, 9:17pm

Anyone tested this on Graylog 5?