Skip to main content

Map Raw Event Data to Moogsoft Enterprise Events

This topic is about how to map event data in a Link Access Module (LAM) configuration file.

Configure the mapping in lam.conf

Mapping options vary based on the tokenization method you used.

  • For JSON formatted raw events you can map the incoming keys directly to Moogsoft Enterprise event fields under the mapping section. 

  • For data parsed using start_and_end or regex, the resulted tokens need to be first given a variable name depending on the position of the token. For example, if the incoming event is parsed into 4 tokens then you need 4 variables defined. You can then use these variable names in the 'mapping section'. If you don't use the variables in the mapping section then everything ends up in the "overflow" field.

variables:
[
    #
    # Note that positions start at 1, and go up
    # rather than array index style counting from zero
    #
    # Names of fields in input data can be substituted here, which is
    # useful for removing illegal characters when building rules.
    #
    { name: "Signature",      position: 1 },
    { name: "SourceId",       position: 2 },
    { name: "ExternalId",     position: 3 },
    { name: "Manager",        position: 4 },
    { name: "Class",          position: 5 },
    { name: "Agent",          position: 6 },
    { name: "AgentLocation",  position: 7 },
    { name: "Type",           position: 8 },
    { name: "Severity",       position: 9 },
    { name: "Description",    position: 10 },
    { name: "LastOccurrence", position: 11 },
    { name: "AgentTime",      position: 12 },
    { name: "Trigger Node",   substitute: "TriggerNode" }
],

During the mapping stage, LAM places any unmapped raw event data into a catchall "overflow" field. You can then choose to access the "overflow" field in a LAMBot, perform further parsing and retain certain variables from it in the custom_info object. An example of how this can be implemented is explained in the next section.

What happens to data in unmapped fields?

After the source data is tokenized, converted, and parsed as needed, then mapped to the Moogsoft Enterprise fields, you will have leftover. LAM places any unmapped raw event data into a catchall "overflow" field.

You can then choose to access the "overflow" field in a LAMBot, perform further parsing and retain certain variables from it in the custom_info object.

As you have read a few times by this point already, implementation of Moogsoft Enterprise takes a cyclical, iterative process. You will be visiting this overflow field to extract some data to use to respond to more requirements as you uncover them. Begin by mapping the minimum number of custom info fields and add more processes as you identify the needs by the downstream activities.

In this section: