Skip to content

Enrichers

Enrichers supplement the parsed event with extra data.

An enricher can:

  1. Create a new field in the event.
  2. Transform a field's values in some way (changing a letter case, performing a calculation, etc).
  3. Delete an existing field if the specified condition is met.

Enrichers are most commonly used to:

  1. Specify the dataset where the logs will be stored in ElasticSearch (add the field event.dataset).
  2. Obtain facility and severity from the syslog priority field.
define:
    type: parsec/enricher

enrich:
    event.dataset: <dataset_name>
    new.field: <expression>
    ...

delete:
    existing.field: <expression>
  • Write enrichers in YAML.
  • Specify parsec/enricher in the define field.

Note

Both enrich and delete sections are optional, but you have to use at least one of them.

Example 1: Enrich the event with new fields

The following example is enricher used for events in syslog format. Suppose you have parser for the events of the form:

<14>1 2023-05-03 15:06:12 server pid: Username 'HarryPotter' logged in.
The event is in the form:

{
    "log.syslog.priority": 14,
    "user.name": "HarryPotter"
}

You want to obtain syslog severity and facility, which are computed in the standard way:

(facility * 8) + severity = priority

You would also like to lower the name HarryPotter to harrypotter in order to unify the users across various log sources.

Therefore, you create an enricher:

enricher.yaml
define:
    type: parsec/enricher

enrich:
    event.dataset: 'dataset_name'
    user.id: !LOWER { what: !GET {from: !ARG EVENT, what: user.name} }

    # facility and severity are computed from 'syslog.pri' in the standard way
    log.syslog.facility.code: !SHR
            what: !GET { from: !ARG EVENT, what: log.syslog.priority }
            by: 3
    log.syslog.severity.code: !AND [ !GET {from: !ARG EVENT, what: log.syslog.priority}, 7 ]
Example 2: Delete non-suited field from the event

The following enricher deletes the host.name field from the event if its value contains the string SRV:

enricher.yaml
define:
    type: parsec/enricher

delete:
  host.name: !IN
            what: "SRV"
            where: !GET {from: !ARG EVENT, what: host.name}