Hi Team,
I need a help with Lookup table on JSON PATH. I have setup separate elasticsearch server which is ingesting data from CSV file like this.
domains,attack,severity
mountchart.com,APT,medium
mountcrypt.top,PHISHING,High
mountexercise.com,RANSOMWARE,High
mountfacenepal.com,APT,medium
mountintegrity.com,CVE123-234,low
mountlanka.net,CRYPTO,low
mountliterark.in,MALSPAM,medium
mountmoney.top,Emotet,Low
Data is properly being fed in my elasticsearch server and wanted to use this data as a Lookup table on graylog server hence configured Data Adapter.
I am confused on single value Json path and multi value. What should be used there? so that " “mountmoney.top” domain is matched from my BIND logs new fields will be added as Attack name i.e. Emotet and Severity as Low.
Here is my JSON value from elasticsearch
{
"_index":"logstash-doms-2018.09.22",
"_type":"doc",
"_id":"jygoAmYBCOgodINNHae0",
"_version":1,
"_score":null,
"_source":{
"domains":"mountvalley.org",
"attack":"DGA",
"message":"mountvalley.org,DGA,High",
"@timestamp":"2018-09-22T16:41:12.820Z",
"@version":"1",
"severity":"High",
"host":"dsv.iqn.in",
"path":"/var/log/dsv.csv"
},
"fields":{
"@timestamp":[
"2018-09-22T16:41:12.820Z"
]
},
"sort":[
1537634472820
]
}
Can someone please suggest?
TIA
Blason R