Well I wanted to query a domain and extract both the fields in single lookup. I guess I wasnt clear enough in my previous attempt.
Lets say below is the entry
bad.com,APT,High
so if bad.com is found by Lookup Table
attackname: APT
Severity: High
Both the options will be tagged by single lookup? Else I will have to create one more lookup table and for each domain two API lookups will be used. Hence wondering if it can be done in single lookup?
For an answer I need one info: How are you planning on using the lookup table? As a message decorator? As a pipeline function? As a extractor converter?
Because I gave you an answer on how to extract both fields at the same time:
OH thanks for reminding its as a extractor coverter.
Well, than you’ll have to create a second lookup table I’m afraid. Or have the Graylog dev know that the multi-value response of a lookup table is also useful as extractor converter. You could open up a Graylog Github Issue to get the devs to have a look at it 
But I would reccomend you have a look at pipelines. AFAIK the extractors on inputs will be dropped as mid/long term change to Graylog (at least that is what I can remember to have read in some statements). But don’t quote me on that.
Greetings,
Philipp
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
