Enrichment Item Parameters (Composition & Extraction)
For composition and extraction enrichment items, a unique object is created for each item.
Enrichment item order is based on the order it appears in the UI or API call. New rules will be added to the top of the existing enrichment order for that tag.
The enrichment item object schema includes the following attributes:
Attribute | Description | Type |
|---|---|---|
id | System-generated unique identifier for the automatic enrichment item. | String |
type | Automatic Enrichment rule type. One of: composition, extraction | String |
active | Whether the rule should be applied to incoming alerts. | Boolean |
when | A BPQL object query to filter incoming alerts. Only matched alerts will receive a value based on the enrichment item. | Object |
version | Internal version number of the current enrichment item. This number is incremented automatically each time the item is updated. | Integer |
config | Rules for building or extracting tag values from event data. Configuration attributes are unique to the enrichment type. | Object |
created_by | The unique ID associated with the user who created the enrichment item. | String |
updated_by | The unique ID associated with the user who last updated the enrichment item. | String |
note | A description of the enrichment item purpose or functionality. | String |
Composition Enrichment Items
Composition enrichment items are created by defining a value template.
Composition Template: A simple formula to populate tag value using strings and other tag values.
Use any tag value as a variable, in the format ${<tag_name>}. For example:
mywiki.com/${host}/${check}
Special formatting is required for tag values that contain encoded characters for URLs. If the tag value contains encoded values for the characters %, +, or a space, use the format ${exact(<tagname>)} to protect the values from being re-encoded.
Extraction Enrichment Items
Extraction enrichment items are created by defining a regular expression (regex formula).
Extraction Regex: The Regular expression to extract the new tag value from the source tag value.
Use a caret
^to indicate starts with and a dollar sign$to indicate ends with.Use parentheses to surround the capture group for the extraction. BigPanda uses the contents of the first capture group to create the value of the alert enrichment tag.
Use a non-capturing group to ignore part of the contents.
If a tag value doesn't match the pattern, the alert is not enriched with the alert enrichment item.
Config Object Attributes
Composition Config Attributes
Attribute | Description | Type |
|---|---|---|
source | Filter incoming alerts by event source. Only alerts from the listed source system will receive a value based on the enrichment item. If left empty, source will default to all sources. | String |
destination | Which tag the enrichment item will apply to. | String |
value | Template for building a value based on existing tags and string values. | String |
Extraction Config Attributes
Attribute | Description | Type |
|---|---|---|
source | Filter incoming alerts by event source. Only alerts from the listed source system will receive a value based on the enrichment item. If left empty, source will default to all sources. | String |
destination | Which tag the enrichment item will apply to | String |
regex | The pattern for extracting tag value from alert data | String |
template | The structure of the value - system field. This value should not be modified. | String |
Mapping Enrichment Items
Mapping enrichments are managed through their map object. See the Best Practices for Mapping Enrichments for details on defining mapping enrichments.
Example Objects
Extraction
{
"type": "extraction",
"active": true,
"when": {
"IN": [
"source_system",
[
{
"type": "regex",
"value": "*"
}
]
]
},
"config": {
"source": "host",
"destination": "tag_name",
"regex": "(.*)",
"template": null
},
"note": null
}
Composition
{
"type": "composition",
"active": true,
"when": {
"IN": [
"source_system",
[
{
"type": "regex",
"value": "*"
}
]
]
},
"config": {
"destination": "tag_name",
"value": "val-${host6666}"
},
"note": "wiki.com"
}Enrichment Retrieval Result
{
"id": "d8215c7d-04ad-41fd-8293-5aca3002b111",
"type": "composition",
"active": true,
"when": true,
"version": 1,
"config": {
"destination": "dest",
"value": "TEST - *"
},
"created_by": "58d77efa5eafe459163f4111",
"updated_by": "58d77efa5eafe459163f4111",
"note": null
}Composition Config Attributes
Attribute | Description | Type |
|---|---|---|
source | Filter incoming alerts by event source. Only alerts from the listed source system will receive a value based on the enrichment item. If left empty, source will default to all sources. | String |
destination | Which tag the enrichment item will apply to. | String |
value | Template for building a value based on existing tags and string values. | String |
Extraction Config Attributes
Attribute | Description | Type |
|---|---|---|
source | Filter incoming alerts by event source. Only alerts from the listed source system will receive a value based on the enrichment item. If left empty, source will default to all sources. | String |
destination | Which tag the enrichment item will apply to | String |
regex | The pattern for extracting tag value from alert data | String |
template | The structure of the value - system field. This value should not be modified. | String |
Example Objects
Extraction
{
"type": "extraction",
"active": true,
"when": {
"IN": [
"source_system",
[
{
"type": "regex",
"value": "*"
}
]
]
},
"config": {
"source": "host",
"destination": "tag_name",
"regex": "(.*)",
"template": null
},
"note": null
}
Composition
{
"type": "composition",
"active": true,
"when": {
"IN": [
"source_system",
[
{
"type": "regex",
"value": "*"
}
]
]
},
"config": {
"destination": "tag_name",
"value": "val-${host6666}"
},
"note": "wiki.com"
}Enrichment Retrieval Result
{
"id": "d8215c7d-04ad-41fd-8293-5aca3002b111",
"type": "composition",
"active": true,
"when": true,
"version": 1,
"config": {
"destination": "dest",
"value": "TEST - *"
},
"created_by": "58d77efa5eafe459163f4111",
"updated_by": "58d77efa5eafe459163f4111",
"note": null
}