Enrich
Enrich (enrich)
Look up values in a CSV or Sqlite database and add matching fields.
Enrichment json
Minimal example
actions: - enrich: lookup: csv: ""JSON
{ "actions": [ { "enrich": { "lookup": { "csv": "" } } } ]}Contents
Fields
| Field | Type | Required | Description |
|---|---|---|---|
description | string | describe this step. | |
condition | lua-expression (string) | Only run this action if the specified condition is met. Examples: 2 * count() | |
lookup | Lookup | ✅ | CSV file or Sqlite file containing enrichment information. Allowed values: csv, sqlite, worker-database |
dynamic ✓ | boolean (bool) | The lookup file may not exist at job creation time. Default: false | |
add | Enrich Field Mapping | A field value to add to the event. | |
event-fields | map (object) | Add multiple fields to a single event based on a single match, providing a default. | |
match | Match Condition[] | Match event values against lookup column values. | |
suppress-warnings ✓ | boolean (bool) | Suppress warnings generated by this action. Default: false |
Schema
- Lookup Options
- Lookup - Sqlite Fields
- Lookup - Worker Database Fields
- Enrich Field Mapping Fields
- Match Condition Fields
- Match Condition - Match Type Options
Lookup Options
| Option | Name | Type | Description |
|---|---|---|---|
csv | Csv | string | The source is a CSV file. Examples: /path/to/file, c:\users\joe\data\file.txt |
sqlite | Sqlite | object | The source is a Sqlite database. |
worker-database | Worker Database | object | The source is a worker-managed database. |
Lookup - Sqlite Fields
| Field | Type | Required | Description |
|---|---|---|---|
path | path (string) | ✅ | Path to the database. Examples: /path/to/file, c:\users\joe\data\file.txt |
table | string | ✅ | Table to use for lookup. |
Lookup - Worker Database Fields
| Field | Type | Required | Description |
|---|---|---|---|
table | string | ✅ |
Enrich Field Mapping Fields
| Field | Type | Required | Description |
|---|---|---|---|
event-field | field (string) | ✅ | Field name to be added to the event. Examples: data_field |
lookup-field | field (string) | ✅ | Field (CSV header) to lookup data to be place in event-field. Examples: data_field |
default-value | map (object) | YAML formatted default value if the event is empty. Examples: data_field |
Match Condition Fields
| Field | Type | Required | Description |
|---|---|---|---|
type | Match Type | ✅ | The type of the match. Allowed values: str, num, cidr, ip, num-range, num-list, str-list, none |
event-field | field (string) | ✅ | field containing the value to lookup. Examples: data_field |
lookup-field | field (string) | ✅ | name of CSV or database field to be compared. Examples: data_field |
Match Condition - Match Type Options
| Value | Name | Description |
|---|---|---|
str | str | plain text match |
num | num | numerical match |
cidr | cidr | CIDR (e.g. 192.150.0.1/24) |
ip | ip | IP address |
num-range | num-range | A range of numbers |
num-list | num-list | a list of numbers |
str-list | str-list | A list of text values |
none | none | None |