Lookup Table Issue: HTTP JSONPath


(Naren) #1

Hello Community /Developers,

We are using HTTP JSONPath as Data Adapter Type in lookup tables to accomplish multi value lookup. But, unfortunately Lookup is not working. Please help us to resolve the issue.

We created a rest API using python flask and accessing the URL like below:

**Request:**
http://127.0.0.1:5000/ioc?ioc=93.189.41.44

**Response**:

{
  "ioc_details": {
    "date": "2018-09-26", 
    "feed_name": "abuse.ch-SSL-IP-Blacklist", 
    "feed_overlap_count": "1", 
    "feed_url": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", 
    "ioc": "93.189.41.44", 
    "ioc_type": "ADDR"
  }
}

Lookup Table Configuration:

jsonlookup (HTTP JSONPath)
Description				jsonlookup
Configuration
Lookup URL				http://127.0.0.1:5000/ioc?ioc=
Single value JSONPath	$.ioc_details
Multi value JSONPath	$.ioc_details
HTTP User-Agent			Graylog Lookup - https://www.graylog.org/
HTTP Headers			Name	Value

Pipeline Rule:

rule "json_ti_lookup"
when has_field("src")
then
// Get the user login from the message
let source = to_string($message.src);
// Lookup the multi value in the jsonlookup lookup table
let tiData = lookup("jsonlookup", source);
set_field("json_feed_overlap_count", tiData["feed_overlap_count"]);
set_field("json_feed_name", tiData["feed_name"]);
end

(Philipp Ruland) #2

Heyo @naren

your single value lookup is not configured properly. As the name suggests, it expects to only return a single property. Your JSONPath is pointing at an entire object. You’ll have to use something of the line $.ioc_details.feed_name, that only returns a single property/field for the single value lookup :slight_smile:

Greetings,
Philipp


(Naren) #3

@derPhlipsi

Thanks, Philipp :slightly_smiling_face: Below changes in the config worked.

Working
Lookup URL: http://127.0.0.1:5000/ioc?ioc=${key}

Single value JSONPath: $.ioc_details.feed_name

Initial
Lookup URL : http://127.0.0.1:5000/ioc?ioc=
Single value JSONPath: $.ioc_details


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.