I'm happy to announce version 2.0.0 of the Stream Lookup (SLookup) Pipeline Processor Function for Graylog 2.3.2 and 2.4.0.
This release adds the following features:
- Ability to specify multiple return fields on a lookup (#5)
rule "Log Enrichment - Descending"
when
has_field("winlogbeat_computer_name")
then
//StreamID, Source Field, Destination Field, Return Field(s), Relative Time, Ascending SortOrder
let system_info = slookup("5a5d8854315d00059dbea98f", "winlogbeat_computer_name", "computer_name", ["ip_address","operating_system","mac_address"], "300", "desc");
set_field("ip_address", system_info[0]);
set_field("operating_system", to_string(system_info[1]));
set_field("mac_address", system_info[2]);
end
- Fixed escape issue with special Lucene characters (#6)
- The
rtnFieldsparameter is now a List. If you have one return value, place it in brackets. E.g.["ip_address"]
If you encounter any difficulties, have feature requests, etc., please file an Issue