Enriching Events with External Data

This topic describes how you can enrich your data with additional information from your environment. Enrichment can can provide more flexibility for clustering your alerts the way you want. It can also make the resulting incidents easier to analyze and troubleshoot.

Data enrichment

In some cases your monitoring goals might require more information than is contained in the raw data. Enrichment is the process of adding data from your environment to to new events. Express uses both event and enrichment data to create alerts and incidents. Enrichment has the following benefits:Enrich events with additional data

  • Customize alert correlation

    You might find that you want to cluster alerts into incidents (described below) using criteria that is not included in the raw data you ingest into Express. For example, you might want to specify that a specific node corresponds to a specific app or service, or is managed by a specific operations team. You can specify an enrichment to map the app, service, or team to the specific node and then use this custom data in your correlation profiles.

  • Provide critical reporting data to make alerts and incidents more useful and understandable.

To set up an enrichment, you do the following:

  1. Specify your enrichment data in a CSV file.

  2. Upload the CSV to a data catalog in Express.

  3. Create an event workflow with a Query Catalog action that maps the catalog fields to event fields and tags.

Once you set up your workflow, Express queries the catalog and adds matching data to each new event.