Hi Guys,
I would like to ask from the slookup plugin.
So I have to create a pipeline with this function.
I have one stream and the graylog parsing every line separately. So I have to do the next…
I have a “computer_name” in the “Host” field, in one line, and I would like to collect the other informations from the separately lines.
I used the next pipeline but it is still not working…
rule “DLP”
when
has_field(“computer_name”)
then
let system_info = slookup(“5b72d9e9de6c337accc9b3e6”, “computer_name”, “Host”, [“timestamp”,“IP”,“MAC”], “300”, “desc”);
set_field(“timestamp”, system_info[0]);
set_field(“IP”, to_string(system_info[1]));
set_field(“MAC”, system_info[2]);
end
I attached a picture from the schema.
Thanks,
