Introduction
Log enrichment allows you to enhance your log data by adding or updating attributes based on specific rules. This is done using Lookup Tables, Source Tags, and Enrichment Configuration under Logs Configuration. The enriched data provides more context and value, making it easier to analyze and act upon logs.
To create an alert definition:
- Navigate to Infrastructure > Logs.
- On the left side of this page, click the Menu icon.
- From the MY LOGS VIEWS page, under QUICK LINKS, select Logs Configuration.The configuration page is displayed.
- From the configurations page, select the Enrichment tab.The enrichment details page is displayed with the two sub-tabs:
- Lookup Tables
- Enrichment Configuration
Lookup Tables
Lookup Tables are essential for enriching logs. They define the attributes that will be added or updated in your logs based on matching rules.
To create a lookup table:
Click the LOOKUP TABLES tab within the Enrichment section.
Click the +ADD.The ADD LOOKUP TABLE screen is displayed.
Enter a name for your lookup table.
Upload a CSV file containing the attributes you want to use for enrichment. The CSV file should be structured according to your enrichment requirements.
Once the name and CSV file are provided, click ADD LOOKUP TABLE to save the changes.
Enrichment Configuration
After setting up a Lookup Table, you can create Enrichment Configs that specify how these attributes are applied to your logs.
To create a configuration:
Click the ENRICHMENT CONFIGS tab.
Click +ADD.The ENRICHMENT CONFIGURATION page is displayed.
On the ENRICHMENT CONFIGURATION page, provide below information:
- GENERAL DETAILS:
- Name: Enter a name for the configuration.
- Priority Order: Set the priority for this configuration. This determines the order in which configurations are applied if multiple rules match.
- Lookup Table: Clink the Lookup Table button, and in the Lookup Table dropdown, select the lookup table for which you want to create a configuration.
Note
You can only add one lookup table for a configuration. - Source Tags: Click the Source Tags, page displays Enrichment Rules section with enables to enter maching conditions.
- LOG FILTER CRITERIA: Click the +ADD FILTER option. Select the available attributes to define the filter criteria. This will determine which logs are enriched by this configuration.
- ENRICHMENT RULES: Define conditions and matching fields under the Enrichment Rules section. These rules specify how and when the enrichment occurs.
- LOG FIELDS: Choose the log fields that should be appended or updated when all conditions are met.
Note
You can include multiple rules within a single enrichment configuration.
- GENERAL DETAILS:
After configuring all the necessary settings, click ADD CONFIGURATION to save your enrichment setup.
Source Tags
Source Tags enable identification of the originating resources for logs, especially in centralized logging environments where logs are forwarded through intermediate devices like log hosts. This feature ensures that logs maintain resource-specific traceability and are enriched with contextual data such as Department, Region, or Hostname, even when a Resource UUID is missing from the source.
To enable source Tags:
- Go to ENRICHMENT. To access ENRICHMENT tab, see
- CLick ENRICHMENT tab.
- Click the ENRICHMENT CONFIGURATION tab.
- Click +ADD.
- Click Source Tags button.
Custom Attributes for Logs with Resource UUID:
Source Tags enable identification of the originating resources for logs, especially in centralized logging environments where logs are forwarded through intermediate devices like log hosts. This feature ensures that logs maintain resource-specific traceability and are enriched with contextual data such as Department, Region, or Hostname, even when a Resource UUID is missing from the source.
You can now have the option to enable the Log Value checkbox in the Custom Attributes section. This determines which attributes are included in enriched logs.
Note
This feature is only available only Log resources and new UI.The following is the functional behavior in diffenrent Scenarios.
| Scenario | Functional Behavior |
|---|---|
| Single Lookup Table in a Single Enrichment Configuration | Logs are enriched using one lookup table and one setup. Filters and rules extract data from the table and add relevant attributes to the logs. |
| Single Lookup Table in Multiple Enrichment Configurations | One lookup table is used in multiple setups. Each setup applies its own rules and filters, enriching logs sequentially based on a defined priority order. |
| Multiple Lookup Tables in Multiple Enrichment Configurations | Each setup uses its own lookup table. Logs are enriched with attributes from multiple tables, processed one at a time, in the specified priority order. |
| Single Enrichment Configuration with Source Tags | Logs are enriched by applying filters to identify relevant logs, adding resource details (like IDs and custom attributes) to the matching logs. |
| Enrichment Configuration with Both Lookup Table and Source Tags | Logs are enriched using a mix of lookup tables and tags. Multiple setups are processed sequentially, each adding attributes to logs based on its logic. |