Parsing pipeline ["values"] from multi-value result

So I’m getting back a multi-value result in a lookup table with a single value (to work around this… https://github.com/Graylog2/graylog2-server/issues/4515, apparently related to this…https://github.com/json-path/JsonPath/issues/272), however I’m hitting a wall because it looks like this…

[“value”]

Which immediately makes me think JSONarray which needs to be referenced using [0], right? However, this completely bombs out because the type is considered ‘Object’ in the pipeline. When set into a field using set_field, I’m getting this…

[“value”]

Instead of what I want which is…

value

How are you supposed to use a returned value set like this (one of the examples shows values getting returned like this in the Lookup Table setup, but has no instruction of how to actually use it)?

Hi Jason,

A sort of a kludge you could do which while not ideal would be have two lookup tables.

Then in your pipeline perform two lookups to get you two values using different tables with the same key information and set fields accordingly.

I agree a multi value lookup would be easier, but this may be a solution albeit an inelegant one.

Cheers
Magneton

My kludge of choice thus far has been to substring it’s predictably crappy output to remove the brackets and quotes…but I was hoping for a neater, less barbaric process.

Jason,

My method would work

Example with ip address field

first lookup table

“ip”,“location”
“192.168.1.1”, “home”

2nd file
"ip","reputation"
192.168.1.1, “RFC 1918 - address”

Using the above we would be able to perform a lookup twice and get the location and reputation within a pipeline rule.

Cheers

Jake

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.