Enrichers¶
Enrichers supplement the parsed event with extra data.
An enricher can:
- Create a new field in the event.
- Transform a field's values in some way (changing a letter case, performing a calculation, etc).
- Delete an existing field if the specified condition is met.
Enrichers are most commonly used to:
- Specify the dataset where the logs will be stored in ElasticSearch (add the field
event.dataset
). - Obtain facility and severity from the syslog priority field.
define:
type: parsec/enricher
enrich:
event.dataset: <dataset_name>
new.field: <expression>
...
delete:
existing.field: <expression>
- Write enrichers in YAML.
- Specify
parsec/enricher
in thedefine
field.
Note
Both enrich
and delete
sections are optional, but you have to use at least one of them.
Example 1: Enrich the event with new fields
The following example is enricher used for events in syslog format. Suppose you have parser for the events of the form:
<14>1 2023-05-03 15:06:12 server pid: Username 'HarryPotter' logged in.
{
"log.syslog.priority": 14,
"user.name": "HarryPotter"
}
You want to obtain syslog severity and facility, which are computed in the standard way:
(facility * 8) + severity = priority
You would also like to lower the name HarryPotter
to harrypotter
in order to unify the users across various log sources.
Therefore, you create an enricher:
enricher.yaml
define:
type: parsec/enricher
enrich:
event.dataset: 'dataset_name'
user.id: !LOWER { what: !GET {from: !ARG EVENT, what: user.name} }
# facility and severity are computed from 'syslog.pri' in the standard way
log.syslog.facility.code: !SHR
what: !GET { from: !ARG EVENT, what: log.syslog.priority }
by: 3
log.syslog.severity.code: !AND [ !GET {from: !ARG EVENT, what: log.syslog.priority}, 7 ]
Example 2: Delete non-suited field from the event
The following enricher deletes the host.name
field from the event if its value contains the string SRV
:
enricher.yaml
define:
type: parsec/enricher
delete:
host.name: !IN
what: "SRV"
where: !GET {from: !ARG EVENT, what: host.name}