The following plugin looks up if a value in a specified list exists and then allows the addition of a record to indicate if found. Introduced in version 1.8.4

Configuration Parameters

The plugin supports the following configuration parameters



The single value file that Calyptia Fluent Bit will use as a lookup table to determine if the specified lookup_key exists


The specific key to look up and determine if it exists, supports record accessor


The record to add if the lookup_key is found in the specified file. Note you may add multiple record parameters.


Set the check mode. exact and partial are supported. Default : exact.


Print to stdout the elapseed query time for every matched record. Default: false


Compare strings by ignoring case. Default: false

Example Configuration

    name           tail
    tag            test1
    path           test1.log
    read_from_head true
    parser         json

    name       checklist
    match      test1
    file       ip_list.txt
    lookup_key $remote_addr
    record     ioc    abc
    record     badurl null
    log_level  debug

    name       stdout
    match      test1

In the following configuration we will read a file test1.log that includes the following values

{"remote_addr": true, "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}

Additionally, we will use the following lookup file which contains a list of malicious IPs (ip_list.txt)

In the configuration we are using $remote_addr as the lookup key and is malicious. This means the record we would output for the last record would look like the following

{"remote_addr": "", "ioc":"abc", "url":"","badurl":"null"}

Last updated