Generic lookups¶
TeskaLabs LogMan.io generic lookups serve to create lists of keys or key-value pairs. The type
in the declaration in the define
section is just lookup
:
---
define:
type: lookup
...
When it comes to parsing, generic lookups can be used only in the standard enricher with the !LOOKUP
expression.
Creating a generic lookup¶
There are always three steps to enable lookups:
- Create a lookup declaration in the LogMan.io Library (the lookup description)
- Create the lookup and its content in the Lookups section in the UI (the lookup content)
- Add the lookup to the relevant parsing and/or correlation rules in the Library (the lookup application)
Use case: User lookup¶
A user lookup is used to get user information such as username and email by the user ID.
-
In LogMan.io, go to the Library.
-
In the Library, go to the folder
/Lookups
. -
Create a new lookup declaration for your lookup, such as "userlookup.yaml", making sure the file has a YAML extension
-
Add the following declaration:
define: type: lookup name: userlookup group: user keys: - name: userid type: str fields: user_name: type: str email: type: str
Make sure the
type
is alwayslookup
.Change the
name
in thedefine
section to your lookup name.The
group
is used then in the enrichment process to locate all lookups that share the same group. The value is a unique identifier of the group (use case), here:user
The following types are supported for
keys
:str
,ip
,mac
,ui64
.To
fields
, add names and types of the lookup attributes. This example usesuser_name
andemail
as strings.Currently, these types are supported:
str
,fp64
,si32
,geopoint
, andip
. -
Save the declaration.
-
In LogMan.io, go to Lookups.
-
Create a new lookup with the same name as above, i.e. "userlookup". Specify the user ID as the key.
-
Create records in the lookup with the user ID as the key and fields as specified above.
-
Add the following enricher to the LogMan.io Parsec rule that should utilize the lookup:
define: type: enricher/standard enrich: user_name: !GET from: !LOOKUP what: userlookup what: !GET from: !EVENT what: user.id
This sample enricher obtains
user_name
from theuserlookup
based on theuser.id
attribute from the parsed event.