deleteEnrichment

A Workflow Engine function that removes data from the enrichment datastore. Returns true if the request is successful.

This function relates directly to the API details from your Enrichment API integration.

This function is available as a feature of the Add-ons v1.4 download and later.

This function is available for event, alert, and enrichment workflows.

This function does not modify the in-scope object when it deletes enrichment data.

Back to Workflow Engine Functions Reference.

Arguments

Workflow Engine function deleteEnrichment takes the following arguments:

Name

Required

Type

Description

attribute

Yes

String

Name of the attribute to lookup. For example, "hostname".

value

Yes

String

Name of the field or workflowContext key holding the data to lookup.

To specify a workflowContext key, prefix with "workflowContext". For example, "workflowContext.lookupkey".

Wildcard Search

You can perform a wildcard search if the event field or workflowContext contains a wildcard string. Valid wildcards are as follows:

Wildcard Type

Example

Description

Ends with

“*searchString”

Matches strings ending with the string “searchString”.

Begins with

“searchString*”

Matches strings beginning with the string “searchString”.

Contains

“*searchString*”

Matches strings containing the string “searchString”.

The following conditions apply when performing a wildcard search on an attribute or value:

Attribute Wildcard

The only supported wildcard for an attribute parameter is a single asterisk “*”, which deletes all records in the enrichment datastore.

Value Wildcard

For a fixed attribute, a wildcard search performs over the values of that attribute if the contents (of the value field or workflowContext) includes a supported wildcard.

For example, you have set the following:

  • attribute “source”

  • value “custom_info.lookupkey”

Where "custom_info.lookupkey" contains the string "host2*". In this scenario, the function matches records for the attribute "source" and values “host2”, “host201”, and “host2a”, and deletes all of these records.

Example

The following example demonstrates typical use of Workflow Engine function deleteEnrichment.

You want to send an update to your Enrichment API endpoint to delete the data within a field called "source". The field contains a value of "host_1". Set the following:

  • source: source

The UI translates your settings to the following JSON:

{"source":"source"}

The request deletes data for the attribute “source” and value “host_1”.

It’s possible to delete multiple entries for a given attribute by providing a field containing an array of string values in the source argument. For example, given the arguments:

{"source": "workflowContext.deleteList.source" }

Where the workflowContext key deleteList holds the value:

{ "source": [ "node_1", "node_2" ] }

In this scenario, the action generates two requests to the API to delete the data for the attribute source: one request to delete the value “node_1”, and a second request to delete the value “node_2”. If these requests are successful, the function returns true and deletes these values.