Does anyone have an example of some of the new lookup table functions?
rule "wireless ip to username"
when
has_field("source_ip") &&
has_field("username") &&
to_string($message.state) == "success" &&
cidr_match("10.204.0.0/14", to_ip($message.source_ip))
then
lookup_set_value("username-lookup-table", to_string($message.source_ip), to_string($message.username));
//set_field("correlateduser", to_string($message.username));
end
I’ve been playing with this and things are not working as I would expect. The table/lookup cache does not seem to be updated when I go check manually.
I validated the lookups work as expected from both cache and lookup table tests.
I am attempting to test this in a pipeline:
let newValue = lookup_set_value("newtable", to_string("greg"), to_string("YELLOW"));
set_field("correlateduser", to_string(newValue));
Neither the new string “YELLOW” seems to be set, and the field “correlateduser” is not being updated. If I change the value for set_field, it is written properly as arbitrary value.
Doing the following results in “green” in my correlateduser field, so I at least know the rule is firing and the lookup works properly. Seems just setting values isn’t working? I’ve tried mixing in to_string as well.
let newValue = lookup_set_value("newtable", "greg", "YELLOW");
set_field("correlateduser", to_string(lookup_value("newtable", "greg", "notfound")));
he @gimmic
I have added some more information to the documentation. That was indeed missing - that you can modify only the database based lookup table…
the current only Lookup table that can be used by this function is the MongoDB Lookup Table. BUT if someone else implement other lookup tables that has the ability to accept writes the same pipeline functions can be used. That is the reason marking this functions not as enterprise.
