GrayLog Stream Lookup (SLookup) Pipeline Processor function

GrayLog Stream Lookup (SLookup) Pipeline Processor function

@billmurrin

Download from Github
View on Github
Issues
Stargazers

Plugin SLookup 2.0.0 - Multiple Return Fields

Stream Lookup function for GrayLog2 Pipeline Processor

• function
• enrichment
• plugin
• pipeline
• slookup
• pipeline-processor

SLookup facilitates the lookup of a local stream’s field value on a remote stream field, and if it matches, returns the requested fields for enrichment in the source stream.

For example, say there are two streams, one contains some http logs with source IPs (E.g. src_ip ) from internal hosts and the other stream contains information about the systems on the network such as IP address (E.g. ip_address ), computer name (E.g. computer_name ), MAC address (E.g. mac_address ), OU, make/model, etc.

In the example above, you might want to return the computer_name and mac_address fields where the value of src_ip matches ip_address .

The thought behind this function is to implement a similar functionality to the VLOOKUP function in Excel.

With features like index sets being introduced in Graylog 2.x, it is possible to use data in one stream to enrich data in another with Pipeline Processor rules.

Version 2.0.0 tested to work with Graylog 2.3.2 and 2.4.0

Github user jimzz2live created a fork of this project that adds support for Graylog 4.1. See his releases here: Releases · jimzz2live/graylog-plugin-slookup-function · GitHub

Thanks for heads up, @inventor96!

In the New Marketplace community, I’d like to welcome Github user jimzz2live to contact me at david.sciuto@graylog.com to help highlight the added support feature.

Anyone tested this on Graylog 5?

Yes, works nice on graylog 5.0.6 with jimzz2live fork mentioned by inventor96