sonar-add-address-batch
Batch-adds IP address values from specified fields in input records to an address group. If you specify a retention period, the addresses are automatically deleted after that period elapses.
Command properties
| Item | Description |
|---|---|
| Command type | Transforming |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
guid=STR- GUID of the address group to add addresses to
fields=STR- Comma-separated list of field names in the input record that contain IP addresses to add to the address group. You can specify multiple fields separated by commas (
,). period=INT- Retention period for added addresses, in minutes. Specify a value in the range 1–52,560,000. If not specified, addresses are retained indefinitely.
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 300119 | sonar-add-address-batch 명령어에 guid 옵션을 지정하세요. | The guid option is not specified. |
| 300120 | sonar-add-address-batch의 guid 옵션 값은 GUID 포맷 형식이어야 합니다. | The guid option value is not in GUID format. |
| 300121 | 주소 그룹(구 IP 블랙리스트)이 존재하지 않습니다. | No address group exists for the specified GUID. |
| 300122 | sonar-add-address-batch 명령어에 fields 옵션을 지정하세요. | The fields option is not specified. |
| 300123 | sonar-add-address-batch 명령어의 period 옵션은 자연수로 지정해야 합니다. | The period option value is not an integer. |
| 300124 | sonar-address-batch 명령어의 period 옵션은 1~52560000 범위로 지정해야 합니다. | The period option value is outside the range 1–52,560,000. |
Runtime errors
N/A
Description
The sonar-add-address-batch command asynchronously adds IP address values from the specified fields in input records to an address group. Input records are passed to the next command unchanged.
If you specify multiple fields with the fields option, each field value is processed in order. Fields with a null value or an invalid IP address are skipped. Field values can be either string or IP address type.
If you specify the period option, the expiration time of the added address is set to the current time plus the specified number of minutes. If not specified, the address is retained indefinitely without an expiration time.
Examples
-
Add detected source IPs to an address group
event duration=1h "brute force" | sonar-add-address-batch guid="550e8400-e29b-41d4-a716-446655440000" fields="src_ip"Adds source IP addresses from brute force events in the past hour to the specified address group.
-
Add addresses with a retention period
event duration=1h "brute force" | sonar-add-address-batch guid="550e8400-e29b-41d4-a716-446655440000" fields="src_ip" period=1440Adds source IP addresses to the address group and sets them to be automatically deleted after 24 hours (1,440 minutes).
-
Add multiple IP fields at once
event duration=1h | sonar-add-address-batch guid="550e8400-e29b-41d4-a716-446655440000" fields="src_ip, dst_ip" period=60Adds both source and destination IP addresses from events to the address group, set to be automatically deleted after 60 minutes.