Need help on slookup plugin

Graylog Central (peer support)
1

Hi team,

I am working on slookup function and unable to understand the logic and request somone’s help on. I understand this is used for comparing two field from differnt streams and if found rtnField.

Here is my scenario -

I have stream 1 - Contains clientipaddr field [with stream ID 5b9e7ef0c4445a03714dfe81
I have stream 2 - Contains SourceIPaddr and SourceUsername [Stream ID 5c8e511a52622402c9b6bb75]

Now I need to rtnfield SourceUsernname if match found in “clientipaddr” & “SourceIPaddr”

Here is the function I wrote but unable to understand which stream this needs to attach to.
##########
rule “Find and Insert User”
when
has_field(“clientipaddr”)
then
let user_name = slookup(“5c8e511a52622402c9b6bb75”,sourceAddress,clientipaddr,[“sourceUserName”],“14400”,“dec”);
set field(“userName”,“to_string”(user_name));
end
#################
OR

rule “Find and Insert User”
when
has_field(“auth_status”)
then
let user_name = slookup(“5b9e7ef0c4445a03714dfe81”,sourceAddress,clientipaddr,[“sourceUserName”],“14400”,“dec”);
set field(“userName”,“to_string”(user_name));
end

Stream ID mentioned in slookup function is sourceStream or from where it is looked up from?

Please help

2

he @blason

didn’t you hang around long enough here to know that formatting the post helps others to help you? Use Code blocks around your rules is the easiest task …

In addition you should page @billmurrin as he is the author. You should mention also your Graylog version and the plugin version you are using …

3

My bad!! Let me take care of this from next time for sure.

@billmurrin - Any help would be really appreciated.

4

Thanks for the help. I manged to resolve it. Infact here are the functions

First Stream ID = Is the remote stream ID
Source Field = The field where the pipeline is attached to
Destination Field = Field from remote stream
Rtn Field = the Field yo would like to return from remote field

Its really fantastic plugin @billmurrin

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.