Match and Update action

This action enables you to update a field based on the contents of other fields. You specify a set of input fields to evaluate. Each input has a corresponding regex tag and an output value. On the first match, the action copies the output value to the output field.

This action provides a simple way to normalize events that have inconsistent formats. Suppose you have multiple event sources that indicate the event class -- application, network, database, etc. -- using different strings in different fields. You can use this action to find a matching string and then update the event class consistently based on the results.

  • Input fields

    The set of input fields to search.

  • Regex tags

    Each input field has a corresponding regex tag and output string. On the first match, copy the corresponding output string to the output field.

  • Output field

    Apply the output string to this field.

Example

You have two event sources. For one source, "ping" in the description field indicates a network event. For another source, "stored procedure" in the check field indicates a database event. You want to update the class field to either network or database.

{
   "description":"ping to cntnr04 > 200ms",
   "severity":4,
   "source":"cntnr04",
   "check":"rtt",
   "service":[ "infraTestService"]
} 
{
   "description":"proc get-all-addresses failed -- access denied",
   "severity": 5,
   "source": "pd4058",
   "check": "stored procedure get-all-addresses",
   "service":[ "custService"]
}

You set up your action as follows:

  • Input fields = description, check

  • Regex tags and output strings:

    • .*ping.* => network

    • .*stored procedure.* => database

  • Output field = class

Event Before

EventAfter

{
   "description":"ping to cntnr04 > 200ms",
   "severity":4,
   "source":"cntnr04",
   "check":"rtt",
   "service":[ "infraTestService"],
   "class" : "network"
} 
{
   "description":"proc get-all-addresses failed -- access denied",
   "severity": 5,
   "source": "pd4058",
   "check": "stored procedure get-all-addresses",
   "service":[ "custService"],
   "class" : "database"
}