Lookup Table contains Value?

ion-storm · February 22, 2018, 6:40pm

I’d like to create a pipeline rule that queries a lookup table to see if a $message.sysmon_cmd_event contains the lookup_value command

I am replacing:

contains(to_string($message.sysmon_cmd_event), "vssadmin.exe Delete Shadows", true)

with

(lookup_value("cmd-lookup", to_string($message.sysmon_cmd_event)))

How do I get $message.sysmon_cmd_event to see if any part of it contains a value from cmd-lookup data adapter?

jochen · February 23, 2018, 8:38am

The lookup tables in Graylog currently only support an exact lookup (similar to a dictionary or hash map).

system · March 9, 2018, 8:38am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline Rules - Exact Match on Field Graylog Central (peer support) pipeline-rules	5	5007	June 6, 2018
Match a value within a lookup table Graylog Central (peer support) pipeline-rules , route-to-streampl , debuggingpl	3	1715	October 8, 2020
Graylog Extraktor with lookup table Graylog Central (peer support) pipeline-rules	14	1993	May 7, 2018
Updating Lookup table values from pipeline logic? Graylog Central (peer support)	2	730	January 1, 2020
Using a CSV lookup table within a pipeline Graylog Central (peer support) pipeline-rules , debuggingpl	19	6141	January 26, 2018