Example: Specify match slots and enrichment slots in the policy equal to the slots in the source file
Suppose your source file contains the following data. In the policy, the total number of match slots and enrichment slots must be equal to three because the source file contains three types of values only.
In the following table, each column corresponds to a type of slot value:
- Column A corresponds to the Status match slot.
- Column B corresponds to the Severity match slot.
- Column C corresponds to the Message enrichment slot.
Based on the following definition, while creating the dynamic enrichment policy:
- Under the Match Settings, you need to select the Status slot first, followed by the Severity slot.
- Under the Enrich Settings, you need to select the Message slot.
Also, notice the commented lines mentioned in column D. You can comment lines by preceding them with the hash symbol (#). Commented lines are not considered for matching and enriching.
| A | B | C | D |
|---|---|---|---|
| OPEN | CRITICAL | Host A: Requires restart | #Column A indicates the event status. #Column B indicates the event severity. #Column C indicates the event message. |
| OPEN | MAJOR | Status requires action | |
| ASSIGNED | MAJOR | Status requires action |
Example: Source file for specifying wildcard characters and slot placeholders
Suppose your source file contains the following data.
In the following table, each column corresponds to a type of slot value:
- Column A corresponds to the Severity match slot.
- Column B corresponds to the Location match slot.
- Column C corresponds to the Owner (or the assigned user) match slot.
- Column D corresponds to the Message enrichment slot.
| A | B | C | D |
|---|---|---|---|
| CRIT* | Houston | Christian Clark | %location% is assigned to %user_assigned% |
| MAJOR | Atlanta | Dave Johnson | %location% is assigned to %user_assigned% |
| *RITICAL | New York | Sheila Ray | %location% is assigned to %user_assigned% |
| *RITIC* | Seattle | James Smith | %location% is assigned to %user_assigned% |
| MINOR | San Jose | Mike Adams | %location% is assigned to %user_assigned% |
| INFO* | * | Jayson Taylor | %location% is assigned to %user_assigned% |
| CRITICAL | Houston | Emily Brown | %location% is assigned to %user_assigned% |
| MINO* | Houston | Christian Clark | %location% is assigned to %user_assigned% |
In the values to be used for matching, you can specify asterisk as the wildcard character. In the values to be used for enriching, you can specify slot placeholders. When the policy is applied, the slot names are replaced with appropriate slot values from the incoming event.
In the preceding table, you can see how a leading asterisk, a trailing asterisk, and an asterisk all by itself is specified in the values to be used for matching. You can also see the placeholder slots (%slotname%) specified for the values to be used for enriching.
At the time of matching, if the matching preference is set to Best Match, then the following order of preference is applied:
- exact match (for example, CRITICAL)
- starts with (for example, CRIT*)
- ends with (for example, *RITICAL)
- contains (for example, *RITIC*)
- any (for example, *)
Precedence among starts with, ends with, and contains preference types
While evaluating the best match among multiple values, the first value in the source file that matches the value in the incoming event is given preference over other matching values.
For example, your source file contains the following sample data. In the following tables, each column corresponds to a type of slot value:
| A | B |
|---|---|
| 91.243.* | Switch1 |
| 91.* | Switch2 |
| 9.* | Switch3 |
Suppose, the Host Address value in the incoming event is 91.243.81.234. In this scenario, the message in the event is enriched with Switch1.
However, if you want to enrich a message in the event based on your requirement, consider placing the desired message row at the start of the source file.
Column E in the following table indicates how the values would be processed based on the Best Match and First Match preference:
| A | B | C | D | E |
|---|---|---|---|---|
| CRIT* | Houston | Christian Clark | %location% is assigned to %user_assigned% | First Match only |
| MAJOR | Atlanta | Dave Johnson | %location% is assigned to %user_assigned% | First Match and Best Match |
| *RITICAL | New York | Sheila Ray | %location% is assigned to %user_assigned% | First Match and Best Match |
| *RITIC* | Seattle | James Smith | %location% is assigned to %user_assigned% | First Match and Best Match |
| MINOR | San Jose | Mike Adams | %location% is assigned to %user_assigned% | First Match and Best Match |
| INFO* | * | Jayson Taylor | %location% is assigned to %user_assigned% | First Match and Best Match |
| CRITICAL | Houston | Emily Brown | %location% is assigned to %user_assigned% | Best Match only |
| MINO* | Houston | Christian Clark | %location% is assigned to %user_assigned% | First Match and Best Match |
