Translate allows you to perform a lookup against a dictionary based on the contents of a field, e.g. clientip
, and populate a different field with the result, which could be SECURE
or MALICIOUS
as in your example. You could combine this with a conditional (the field containing the result of the lookup is not set) and use a mutate filter to then set it to MALICIOUS
, which would be the default value. This should do what your Ruby filter does but avoid loading the file once for every event.