An enrichment policy is a set of enrichment specifications. Each log from a device configured for a particular enrichment policy goes through all the enrichment specifications in ascending order. You can configure multiple enrichment policies in LogPoint. However, a single device can only have one enrichment policy.
An enrichment specification consists of a set of enrichment criteria and enrichment rules. Enrichment criteria are the conditions that must match the key-value pairs of the normalized event logs. Once the criteria meet, LogPoint uses the enrichment rules to enrich the logs.
Note
You can view the details of each enrichment policy by clicking the Details icon under the Actions column.
Go to Settings >> Configuration from the navigation bar and click Enrichment Policies.
Enrichment Policies¶
Click Add.
Adding an Enrichment Policy¶
Provide a Policy Name and Description.
In the Specification section, provide Enrichment Criteria.
If you select Key Presents, provide the name of the key. In this case, the policy checks if the specified key is present in the log.
If you select Value Matches, provide the name of the key and the value (or a Regular Expression). In this case, the policy checks if the specified key is present in the log, and the value of the key matches the specified value.
Click the plus (
) icon to add a new criterion and the minus (
) icon to remove a criterion.
In the Enrichment Rule section, select an Enrichment Source from the drop-down menu.
Enrichment Rule Section¶
Choose a Source from the drop-down menu.
Choose a type of Operation. It is set to Equals by default.
Choose a Category from the drop-down menu.
If you select the Simple category, provide the Event Key suitable for the source.
If you select the Type Based category, choose an Event Key Type from the drop-down menu. In this case, all the fields of the selected type are eligible to be taken into consideration.
In LogPoint, the value associated with a key is either string or number. The value of the IP type is considered a distinct case of the string type and is compared using simple string comparison.
Select Enable prefixing if you want to prefix the results with the event key. In this case, LogPoint presents the results in alphabetical order of the event key.
Note
Click the plus () icon to add a new rule and the minus () icon to remove a rule.
You cannot add more than 5 enrichment rules in an enrichment specification.
Click Submit.
Note
In a Distributed LogPoints setup, you cannot view or use the enrichment policies of remote LogPoints from the Search Head.
Warning
You cannot use an enriched field as a criterion for the type-based enrichment category. For example, if source_address is an enriched field, then you cannot use that field as an enrichment criteria value.
Go to Settings >> Configuration from the navigation bar and click Enrichment Policies.
Select the required enrichment policy.
Enrichment Policies¶
Update the information.
Click Submit.
Before deleting an enrichment policy, make sure it is not in use.
Go to Settings >> Configuration from the navigation bar and click Enrichment Policies.
Click the Delete icon under the Actions column of the enrichment policy.
Enrichment Policies¶
To delete multiple enrichment policies, select the groups, click the More drop-down menu and choose Delete Selected.
Enrichment Policies¶
To delete all the enrichment policies, click the More drop-down menu, and choose Delete All.
Enrichment Policies¶
Click Yes on the delete confirmation dialog box.