Referencing fields inside match object

Hello All,

I’m trying to use a lookup table to create a field in my search results but the field I am trying to use as the key is inside a match object from a grok operation. I have the following pipeline rule but I don’t get any results for the “Name” field. Is it possible to reference a field within the newly created matches object and if so how?

rule “Base”
when
has_field(“type”) AND contains(to_string($message.type), “base”)
then
let matches = grok("%{BASE}", to_string($message.message), true);
set_fields(matches);
let Name = lookup_value(“registrar-names”, to_string(matches.ID));
end

I’ve tried matches[#] as well to no avail. “ID” is the name of the field in my grok pattern which works fine, I just wanted to add a name derived from the id in a csv lookup table which I can then use in searches/dashboards. Do I have to not use set_fields and instead set the fields individually from the grok?

thanks!

You haven’t created the name field.

You have assigned the returned value from your lookup_value() function to the variable Name but, you haven’t created the field like you have with the matches field.

Hi Ponet, that fixed it! Thanks. FWIW this is what I ended up doing to get it to work:

rule “Base”
when
has_field(“type”) AND contains(to_string($message.type), “base”)
then
let matches = grok("%{BASE}", to_string($message.message), true);
set_fields(matches);
set_field(“Name”, lookup_value(“registrar-names”, to_string(matches.ID)));
end

Yep, you could do the same for your matches field as well.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.