Lookup table composed key

Hello Graylog Community!

“Disclaimer”
I’m just starting my learning curve as far as Graylog is concerned. I have, however used google as well as the search function within this forum so I’m fairly confident my question hasn’t been asked hundreds of times before. If I’m wrong I’d still appreciate a pointer into the right direction

I set up my first data-adapter/lookup-table to translate IP addresses to hostnames via reverse DNS and it works great.

Now I would like to have the Port Descriptions of my Cisco Switches inside the logs. I parsed the Cisco Config files and created a CSV file as follows:

hostname,ip_address,switch_port,port_description
heS01,172.30.254.1,GigabitEthernet1/0/1,PGZ WKS 34a
heS01,172.30.254.1,GigabitEthernet1/0/2,PGZ WKS 44a
[...]
heS02,172.30.254.2,GigabitEthernet1/0/1,PGZ WKS 34b
heS02,172.30.254.2,GigabitEthernet1/0/2,PGZ WKS 44b
[...]

The problem I see is that with the CSV data adapter I have only one key field, but I would need a lookup based on two keys hostname+switch_port or ip_address+switch_port.

I could setup a csv file and data adapter per switch, but this would require manual work every time a switch is added or removed.

Is there a possibility to use such a composed key “hostname+switch_port” or is lookup table not the way to go? If not, would you suggest an alternative approach?

thanks in advance,

Thorsten

Simplest way is probably to concat hostname+switchport on one column, and use it as key:

"hostname","port_description"
"heS01GigabitEthernet1/0/1","PGZ WKS 34a"
"heS01GigabitEthernet1/0/2","PGZ WKS 44a"
"heS02GigabitEthernet1/0/1","PGZ WKS 34b"
"heS02GigabitEthernet1/0/2","PGZ WKS 44b"

And use pipeline rule to first concat sw_hostname+sw_port and use it as lookup key:

rule "port desc csv lookup"
when
  has_field("sw_hostname") AND has_field("sw_port")
then
  let hostname_port = concat(to_string($message.sw_hostname), to_string($message.sw_port));
  let port_desc = lookup_value("csv", hostname_port);
  set_field("sw_port_desc", port_desc);
end

Or if you want to lookup also ip+port you can create one csv file with another field with ip+port, create second lookup adapter pointing to same CSV file and use second pipeline rule.

"hostname","ip","port_description"
"heS01GigabitEthernet1/0/1","172.30.254.1GigabitEthernet1/0/1","PGZ WKS 34a"
"heS01GigabitEthernet1/0/2","172.30.254.1GigabitEthernet1/0/2","PGZ WKS 44a"
"heS02GigabitEthernet1/0/1","172.30.254.2GigabitEthernet1/0/1","PGZ WKS 34b"
"heS02GigabitEthernet1/0/2","172.30.254.2GigabitEthernet1/0/2","PGZ WKS 44b"

rule "port desc csv lookup2"
when
  has_field("sw_ip") AND has_field("sw_port")
then
  let ip_port = concat(to_string($message.sw_ip), to_string($message.sw_port));
  let port_desc = lookup_value("csv2", ip_port);
  set_field("sw_port_desc", port_desc);
end

Hi shoothub,
thanks for your reply.

After starting the topic I was thinking along the same lines and your code saved me probably hours of hours of try-and-error. Thank you so much!

On a side note: Since “sw_port” is extracted out of the syslog message via Extractor, I had to go to System -> Configuration -> “Message Processors Configuration” -> Update and put

Message Filter Chain

in front of

Pipeline Processor

But my PoC is working now.

best regards,
Thorsten

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.