Replace or convert value int , string to fileds

bahram · September 7, 2022, 4:52am

Hi guys
I have a question
I have a field called packetbeat_client_ip with a value of 192.168.x.x
how to convert value (IP) to name (string ) for example ip=customer
I want to replace IP with a string name for all fields and how should I solve this problem?
Thank you for your cooperation and guidance

gsmith · September 7, 2022, 5:00am

Hello,

You could use an extractor LOOKUP table.

or a pipeline with a lookup table. this would depend on how many IP address you have to convert.

I also have seen this done on the log shipper.

bahram · September 7, 2022, 5:36am

Hello
Thank you so much
I need a pattern or an example to better understand lookup table and pipeline because I still don’t know how to use these two features to extract or replace data in graylog .

H2Cyber · September 7, 2022, 8:51pm

Have a look at the Graylog documentation for lookup tables : Lookup Tables

And this (old but still relevant) Youtube video on Graylog lookup tables : 15. Graylog 3.0 Lookup Tables - YouTube

Lookup tables are certainly the answer for your use case.

bahram · September 10, 2022, 6:28am

Hi

Unfortunately, my lookup-table is not working.

This is my csv file

cat lookup-ip.csv


"ipaddr","name"

"96.x.x.x","customer01"

"200.x.x.x","customer02"

"185.x.x.x","customer03"

"177.x.x.x","customer04"

"97.x.x.x","customer05"

In this scenario, the main goal is to replace the customers name with the IPs
This pipeline file seems to have a problem
please guide me

rule "change ipaddr to name customer "
when
has_field("packetbeat_real_ip")
then
//Change IP to Name
let update_source = lookup_value("lookup_ip", $message. packetbeat_real_ip);
set_field("packetbeat_real_ip ", update_source);
end

H2Cyber · September 10, 2022, 8:34am

There are a few extra spaces in the pipeline rule code, which should be removed. For example :

$message.packetbeat_real_ip instead of $message. packetbeat_real_ip
"packetbeat_real_ip" instead of "packetbeat_real_ip "

bahram · September 10, 2022, 9:46am

Hi
Thank you so much for replay
This syntax is still problematic, I don’t know why

rule "pipeline change ipaddr to name "

when
    has_field("packetbeat_http_request_headers_x-real-ip")
then

let update_source = lookup_value("lookup-ip",$message.packetbeat_http_request_headers_x-real-ip);
set_field("packetbeat_http_request_headers_x-real-ip_new",update_source);
end

H2Cyber · September 10, 2022, 10:52am

What message do you get when hovering the red X mark on the left ?

bahram · September 10, 2022, 11:02am

H2Cyber · September 10, 2022, 11:15am

Try using the following (with quotes) :

let update_source = lookup_value("lookup-ip",$message."packetbeat_http_request_headers_x-real-ip");

bahram · September 12, 2022, 6:19am

Hi, H2Cyber
The problem is solved, thank you very much

system · September 26, 2022, 6:20am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog Extraktor with lookup table Graylog Central (peer support) pipeline-rules	14	2126	May 7, 2018
Match a value within a lookup table Graylog Central (peer support) pipeline-rules , route-to-streampl , debuggingpl	3	1862	October 8, 2020
Replacing UID with Username using lookup table Graylog Central (peer support) pipeline-rules	19	1315	April 28, 2022
Help with writing a pipeline to remove numbers from a string Graylog Central (peer support) sidecar , filebeat-windows	3	1822	July 15, 2020
Lookup table, soruce, gl2_remote_ip Development	8	3023	September 24, 2018

Replace or convert value int , string to fileds

Related topics