How to Create a Watchlist/Lookup Tables

praveen_siem · December 31, 2015, 1:00pm

Dear Team,

Do anyone have idea on how do we create a watchlist in ELK. In other terms lookup tables. This specifies a range of values say 50 or 100 or more in a single file. And save it as .csv or .txt

For Ex: there are around 50-100 source IP addresses and each cannot be mentioned in the condition in the query. So we put it in a file and call that file in the condition of the query.

How do we do this in creating a query in ELK, and that too in logstash.

Please throw some light if someone has come across such situation.

Best Regards-
Praveen Kamble

warkolm · January 1, 2016, 9:51pm

There is the translate filter that might work.

praveen_siem · January 11, 2016, 9:44am

Mark,

Thanks. Can you just help out or share any guide indicating so as how to prepare the "translate filter".

Best Regards-
Praveen

warkolm · January 12, 2016, 12:44am

https://www.elastic.co/guide/en/logstash/current/plugins-filters-translate.html is the best place to start.

praveen_siem · January 13, 2016, 10:15am

Thanks for sharing the link, Mark.

We tried to install the "translate filter" plug-in on the log stash 1.4.2- modified version, while installing we are getting the error-

Can only install contrib at this time... Exiting..

Suggest the possible resolution from your end.

warkolm · January 13, 2016, 10:23am

I'd start by upgrading, 1.4 is really old.