ip_reputation

Get 2 fields associated to the IP address from an external lookup file with the reputational information about the IP address.

lookup reputation ip | 

rename reputation AS at_reputation | 

rename localtion AS at_location | 

fillnull at_reputation value=neutral | 

Create 3 fields from the tagging field (tag::eventtype) and associate them to new names. To be able to use a weighting of the action, a trailing numerical weight is used.

eval highest_tag = mvindex('tag::eventtype', 0) | 

rex field=highest_tag "(?.*)__(?.*)__(?.*)__(?.*)" | 

rename ids_action AS at_action | 

rename ids_ticket AS at_ticket | 

rename ids_title AS at_title | 

fillnull at_action value=Triage