Skip to content

Generic lookups

TeskaLabs LogMan.io generic lookups serve to create lists of keys or key-value pairs. The type in the declaration in the define section is just lookup:

---
define:
  type: lookup
  ...

When it comes to parsing, generic lookups can be used only in the standard enricher with the !LOOKUP expression.

Creating a generic lookup

There are always three steps to enable lookups:

  1. Create a lookup declaration in the LogMan.io Library (the lookup description)
  2. Create the lookup and its content in the Lookups section in the UI (the lookup content)
  3. Add the lookup to the relevant parsing and/or correlation rules in the Library (the lookup application)

Use case: User lookup

A user lookup is used to get user information such as username and email by the user ID.

  1. In LogMan.io, go to the Library.

  2. In the Library, go to the folder /Lookups.

  3. Create a new lookup declaration for your lookup, such as "userlookup.yaml", making sure the file has a YAML extension

  4. Add the following declaration:

    define:
      type: lookup
      name: userlookup
      group: user
    
    keys:
      - name: userid
        type: str
    
    fields:
      user_name:
        type: str
      email:
        type: str
    

    Make sure the type is always lookup.

    Change the name in the define section to your lookup name.

    The group is used then in the enrichment process to locate all lookups that share the same group. The value is a unique identifier of the group (use case), here: user

    The following types are supported for keys: str, ip, mac, ui64.

    To fields, add names and types of the lookup attributes. This example uses user_name and email as strings.

    Currently, these types are supported: str, fp64, si32, geopoint, and ip.

  5. Save the declaration.

  6. In LogMan.io, go to Lookups.

  7. Create a new lookup with the same name as above, i.e. "userlookup". Specify the user ID as the key.

  8. Create records in the lookup with the user ID as the key and fields as specified above.

  9. Add the following enricher to the LogMan.io Parsec rule that should utilize the lookup:

    define:
      type: enricher/standard
    
    enrich:
      user_name:
        !GET
        from:
          !LOOKUP
          what: userlookup
        what:
          !GET
          from: !EVENT
          what: user.id
    

    This sample enricher obtains user_name from the userlookup based on the user.id attribute from the parsed event.