Using CSV lookup table to create more fields in message stream?

I’m new to Graylog, and created a data adapter to specify that I want a CSV file to be interpreted, with key/values for the device hostnames, respectively. I did add the path of my CSV file, but for some reason it says it’s not valid even though I double checked the directory of my CSV file (it’s on my local desktop, any advice for this would be appreciated). I know I need to create the cache, and then use both of these to populate the Data Lookup Table.

So I want the ip address to be added to the various fields as part of the metadata that’s generated for each signature count, so if there’s field values like “source port, destination port, timestamp,” I also want there to be an addition for “hostnames,” with the name of the device.

I know this may involve working with pipelining or extractors or grok to be able to parse the data from the Data Lookup Table to get into the message stream, but I’m not sure where to get started when I get to this step. Any advice would be appreciated.

Hey @Jones453

Are you refering to something like this?

If you’re just trying to add Hostname or IP when one or the other shows up, have you looked at using the DNS/rDNS adapters instead? That’s what I did as it was simpler with my setup than trying to extract a CSV to import.

When I did initially test with a CSV I used the HTTP DSV adapter instead of the local file as that was easier for me to do than pushing a CSV to a docker volume.

1 Like

+1 for the DNS/rDNS adapters. In my case, I set the cache large enough that for internal hosts, it’s not generating much DNS traffic.

What cache did you use? I went with write because otherwise some of the lookups would never expire.

I used non-local in memory, expire 12 hours after access. I am not expiring after write, because that I am looking up doesn’t change much.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.