SNC Cribl MCP

{ "id": "lookup", "schema": { "type": "object", "title": "", "required": ["file"], "properties": { "file": { "type": "string", "title": "Lookup file path (.csv, .csv.gz)", "description": "Path to the lookup file. Reference environment variables via $. Example: $HOME/file.csv", "minLength": 1 }, "dbLookup": { "type": "boolean", "title": "Use Disk-Based Lookup", "description": "Enable to use a disk-based lookup. This option displays only the settings relevant to disk-based mode and hides those for in-memory lookups.", "default": false }, "matchMode": {}, "matchType": {}, "reloadPeriodSec": {}, "inFields": { "type": "array", "title": "Lookup fields", "description": "Fields that should be used to key into the lookup table", "minItems": 1, "items": { "type": "object", "required": ["eventField"], "properties": { "eventField": { "type": "string", "title": "Lookup Field Name in Event", "description": "Field name as it appears in events", "pattern": "^[a-zA-Z$_'\"][a-zA-Z0-9$_\\[\\]\\.'\"]*$", "$comment": "Matches any properly formed property reference where the first segment is a simple attribute name (e.g. property[\"someProperty\"][0].anotherProperty[2][\"somethingElse\"]" }, "lookupField": { "type": "string", "title": "Corresponding Field Name in Lookup", "description": "Optional: The field name as it appears in the lookup file. Defaults to event field name" } } } }, "outFields": { "type": "array", "title": "Output fields", "description": "Fields to add to events after matching lookup. Defaults to all if not specified.", "items": { "type": "object", "required": ["lookupField"], "properties": { "lookupField": { "type": "string", "title": "Output Field Name from Lookup", "description": "The field name as it appears in the lookup file" }, "eventField": { "type": "string", "title": "Lookup Field Name in Event", "description": "Optional: Field name to add to event. Defaults to lookup field name.", "pattern": "^[a-zA-Z$_][a-zA-Z0-9$_\\[\\]\\.'\"]*$", "$comment": "Matches any properly formed property reference where the first segment is a simple attribute name (e.g. property[\"someProperty\"][0].anotherProperty[2][\"somethingElse\"]." }, "defaultValue": { "type": "string", "title": "Default Value", "description": "Optional: Value to assign if lookup entry is not found" } } } }, "addToEvent": { "type": "boolean", "title": "Add to raw event", "description": "Add the looked-up values to _raw, as key=value pairs", "default": false }, "ignoreCase": {} }, "dependencies": { "dbLookup": { "oneOf": [ { "properties": { "dbLookup": { "enum": [true] } } }, { "properties": { "dbLookup": { "enum": [false] }, "matchMode": { "title": "Match mode", "type": "string", "description": "Specifies the matching method based on the format and logic used in the lookup file", "enum": ["exact", "cidr", "regex"], "enumNames": ["Exact", "CIDR", "Regex"], "default": "exact" }, "reloadPeriodSec": { "type": "number", "title": "Reload period (sec)", "description": "Checks the lookup file periodically for changes and reloads it if modified. Set to -1 to disable reloading (default). Useful for lookups not managed by Stream or not updated by an external process. [Learn more](https://docs.cribl.io/stream/lookup-function/#advanced-settings)", "default": -1 } }, "dependencies": { "matchMode": { "oneOf": [ { "properties": { "matchMode": { "enum": ["cidr", "regex"] }, "matchType": { "title": "Match type", "type": "string", "description": "Further defines how to handle multiple matches: return the first match, the most specific match, or all matches", "enum": ["first", "specific", "all"], "default": "first" } } }, { "properties": { "matchMode": { "enum": ["exact"] }, "ignoreCase": { "type": "boolean", "title": "Ignore case", "default": false, "description": "Whether to ignore case when performing lookups using Match Mode: Exact" } } } ] } } } ] } } } }