Map external data to the Moogsoft Cloud schema

Note

This is step 3 in the Define a custom integration workflow.

After you set up your external service to send data to the endpoint, the next step is to map your external data fields to their equivalents in the Moogsoft Cloud schema.

  1. In Moogsoft Cloud, go to Data Config > Ingestion Services > Create your own Integration and select the endpoint you created.

  2. Go to 2 Map Your Data.

  3. Select a payload from the table.

  4. Map each source field in the payload to its corresponding Moogsoft Cloud target field.

    • To add additional mappings, click Add a Mapping.

    • To remove an unneeded mapping, click the trashcan to delete the corresponding row.

    • If one payload does not include all the source fields you need to map, select another payload in the list that does. You can select different payloads in sequence and map all your source fields in one operation.

    • If there is no source field that corresponds to a required Moogsoft Cloud target field, click inside Source Field and scroll to the end of the list of source fields. Type a placeholder value for Default Text. You can then create an event workflow to populate this field.

    • The Moogsoft Cloud events schema requires a severity field. Click Map Values to map the severity values in your source data to their target equivalents.

    NOTE: Moogsoft Cloud automatically maps source fields to target fields with the same name.

Mapping multiple source fields to the same target field

You might want to do this when the relevant data for a target field is in multiple source fields. The mapping behavior is different for target fields that are simple strings, such as source, and target fields that are lists, such as service.

Mapping string fields

For target fields that are simple strings, such as source and class, the mapper uses an if-then-else mechanism. Suppose your payloads encode the event source as follows:

Given this, the mapper populates the target field source based on the order of mappings in the table:

  • An fqdn field for application events

  • An ip field for network events

  • All events include a labels tag, which includes the hostname and a lot of other information about the event.

In the third case, the source field is still unmapped but the Moogsoft Cloud event still has the source name: it is embedded in the tags.labels string.

In this case, you can map the fields as follows.

  1. Event has an fqdn field => map fqdn to source

  2. Event has no fqdn field but it does has an ip field => map ip to source

  3. Event has no fqdn or ipe field => map string "TBD" to source. You can then create an automated workflow that extracts the hostname from the labels tag and maps it to the source target field.

Note that the mapping behavior is determined by the order in which these mappings are defined in the mapping table:

map-mult-source-fields-to-source.png

Mapping list fields

Suppose your payload has the following fields:

  • An app field that defines the user-facing name for an app

  • A microservice field that defines the back-end service that supports the app

In this case, you can map both fields to the service target field. Because the target field is a list, it gets populated with both names: "service" : ["myApp", myMicroService"]

Mapping types

In addition to basic mapping, you can use transformations to customize the way source field data is mapped to target fields.

All Source to Target mappings are basic mappings unless you click the Mapping type selector (arrow) between source and target fields and select a different type from the popup:

transformation_menu.png

See Use mapping types in custom integrations for a complete list of mapping types and instructions explaining how to use them.

In this section: