An Enrichment Policy is made up of a set of enrichment specifications, a set of 5 or less enrichment rules. Enrichment rules define which normalized, event log key-value pairs in the message fields are matched against an enrichment source. When there is a match, the additional information from the Enrichment Source is added to the event.
When an Enrichment Policy is configured on a device, each log from the device is matched against all the enrichment rules in ascending order. You can setup as many enrichment policies as you need, but you can only use one Enrichment Policy on a single device.
To sort the columns in ascending or descending order, click the arrow and select Sort Ascending or Sort Descending.
Sorting Columns¶
To filter the columns you want in the UI, click the MORE dropdown, click Columns, and select the columns you want.
Filtering Columns in the UI¶
Go to Settings >> Configuration from the navigation bar and click Enrichment Policies.
Click ADD.
Adding an Enrichment Policy¶
Enter a Policy Name and Description.
In Specification, enter Enrichment Criteria. Use:
Key Presents to enter the name of the key. The policy will use the key to check if this specified key is in the log.
Value Matches to enter the name of the key and the value, or a Regular Expression. The policy checks if the specified key is in the log, and the value of the key matches the specified value.
Use plus (
) icon and minus (
) icon to add or remove a criterion.
In Enrichment Rule, select an Enrichment Source from the dropdown. Use plus () icon and minus () icon to add or remove a criterion.
Enrichment Rule¶
Choose a Source from the dropdown. It displays the fields from the enrichment source that can be matched with the fields from the log.
Choose a type of Operation. It specifies how two fields are compared and is set to Equals by default.
Choose a Category from the dropdown. It specifies whether the field’s value or type is being compared.
If you select the Simple category, enter the Event Key suitable for the source.
If you select the Type Based category, choose an Event Key Type from the dropdown. In this case, all the fields of the selected type are eligible to be taken into consideration.
In Logpoint, the value associated with a key is either string or number. The value of the IP type is considered a distinct case of the string type and is compared using simple string comparison.
Select Enable prefixing if you want to prefix the results with the event key. In this case, Logpoint presents the results in alphabetical order of the event key.
Click Submit.
In a Distributed Logpoints setup, you cannot view or use the enrichment policies of remote Logpoints from the Search Head.
Warning
You cannot use an enriched field as a criterion for the type-based enrichment category. For example, if source_address is an enriched field, then you cannot use that field as an enrichment criteria value.
Go to Settings >> Configuration from the navigation bar and click Enrichment Policies. To view the details of each enrichment policy, click Details icon under Actions.
Select the required enrichment policy and update the information.
Click Submit.
Before deleting an enrichment policy, make sure it is not in use.
Go to Settings >> Configuration from the navigation bar and click Enrichment Policies.
Click the Delete (
) icon under Actions.
To delete multiple enrichment policies, select the groups, click MORE and choose Delete Selected.
To delete all the enrichment policies, click MORE and choose Delete All.
Deleting Enrichment Policies¶
Click Yes.