Lookup table with multiple JSON responses

Graylog Tech Challenges
1

Hi,

I have a lookup table which shows multiple responses for a lookup:

{
    "totalResults": 2,
    "usecase": [
        {
            "number": 100,
            "data": {
                "title": "Test SQL Injection",
                "type": "web",
                "attributes": "{\"data_id\": 200, \"data_protocol\": GET}"
            }
        },
        {
            "number": 101,
            "data": {
                "title": "Test SQL Injection 2",
                "type": "web",
                "attributes": "{\"data_id\": 200, \"data_protocol\": POST}"
            }
        }
    ]
}

This is the pipeline I am using:

rule "Use Cases - Query"
when
   has_field("rule_id")
then
   let ldata = lookup(
       lookup_table: "usecase_query",
       key: to_string($message.rule_id)
       );
   set_fields(
       fields: ldata,
       prefix: "usecase_"
       );  
end

The data is stored in a single field (usecase_value) as:

[{"number":100,"data":{"attributes":"{\"data_id\": 200, \"data_protocol\": GET}","title":"Test SQL Injection","type":"web"}},{"number":101,"data":{"attributes":"{\"data_id\": 200, \"data_protocol\": POST}","title":"Test SQL Injection 2","type":"web"}}]

What is the correct way to save all this information into single fields?

2

Hello,

Correct me if I’m wrong but you trying to put multiply data under a single field?
Maybe comparing it to a message field?

3

Well not in a single field. I meant that I want all the data from dat field extracted to multiple fields. Also when there are multiple responses (like numbers in the example).

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.