Defines the schema for an alert tag.
| API Endpoints | /resources/v2.1/enrichments-config/tags/{TAG_NAME}/enrichments |
| Supported Methods | POST, GET, PATCH, DELETE |
Enrichment Item Parameters (Composition & Extraction)
For composition and extraction enrichment items, a unique object is created for each item.
Enrichment item order is based on the order it appears in the UI or API call. New rules will be added to the top of the existing enrichment order for that tag.
The enrichment item object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| id | System-generated unique identifier for the automatic enrichment item. | String | "191217f6-481d-464e-9f12-3ed846a72555" |
| type | Automatic Enrichment rule type. One of: composition, extraction | String | "composition" |
| active | Whether the rule should be applied to incoming alerts. | Boolean | true |
| when | A BPQL query to filter incoming alerts. Only matched alerts will receive a value based on the enrichment item. | Object | { "IN": [ "source_system", [ { "type": "regex", "value": "*" } ] ] } |
| version | Internal version number of the current enrichment item. This number is incremented automatically each time the item is updated. | Integer | 1 |
| config | Rules for building or extracting tag values from event data. Configuration attributes are unique to the enrichment type. See the Config Attributes tables for more information. | Object | { “source”: “nagios”, "destination": "tag_name", "value": "val-${host6666}" } OR { "source": "host", "destination": "tag_name", "regex": "(.*)", "template": null } |
| created_by | The unique ID associated with the user who created the enrichment item. | String | "60c5238222fa55553d93d555" |
| updated_by | The unique ID associated with the user who last updated the enrichment item. | String | "60c5238222fa55553d93d555" |
| note | A description of the enrichment item purpose or functionality. | String | "adding region" OR "special extraction for nagios" |
Config Object Attributes
Composition Config Attributes
| Attribute | Description | Type | Example |
|---|---|---|---|
| source | Filter incoming alerts by event source. Only alerts from the listed source system will receive a value based on the enrichment item. If left empty, source will default to all sources. | String | “source”: “nagios" |
| destination | Which tag the enrichment item will apply to. | String | "destination": "tag_name" |
| value | Template for building a value based on existing tags and string values. | String | "value": "val-${host6666}" |
Extraction Config Attributes
| Attribute | Description | Type | Example |
|---|---|---|---|
| source | Filter incoming alerts by event source. Only alerts from the listed source system will receive a value based on the enrichment item. If left empty, source will default to all sources. | String | "source": "host" |
| destination | Which tag the enrichment item will apply to | String | "destination": "tag_name" |
| regex | The pattern for extracting tag value from alert data | String | "regex": "(.*)" |
| template | The structure of the value - system field. This value should not be modified. | String | "template": null |
Mapping Enrichment Items
Mapping enrichments are managed through their map object. See the Best Practices for Mapping Enrichments for details on defining mapping enrichments.
Example Tag with Enrichment Items
{
"name": "tag_name",
"active": true,
"description": "",
"enrichments": [
{
"type": "extraction",
"active": true,
"when": {
"IN": [
"source_system",
[
{
"type": "regex",
"value": "*"
}
]
]
},
"config": {
"source": "host",
"destination": "tag_name",
"regex": "(.*)",
"template": null
},
"note": null
},
{
"type": "composition",
"active": true,
"when": {
"IN": [
"source_system",
[
{
"type": "regex",
"value": "*"
}
]
]
},
"config": {
"destination": "tag_name",
"value": "val-${host6666}"
},
"note": "wiki.com"
}
]
}