- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
- Enrichments
- Event Filtering
Enrichments
Note
License Requirement
Currently, the Enrichments tab is available only if you have the New-Scale Analytics license.
The Enrichments tab in the Log Stream application provides access to manage the enrichment rules that are applied automatically as part of the process to enrich parsed event logs with contextual data. The Enrichments tab offers two types of information about the available enrichment rules:
A table lists all of the enrichment rules available in your environment. Lifecycle metrics for each rule are provided, such as when it was created, updated, and used. You can manage each enrichment rule in the list to enable, disable, or export them. You can also view and edit the configuration details for a specific rule. New rules can be added by importing them from other environments or by creating custom rules and importing them.
Usage data is visualized in the form of charts that show status health and activity levels for the enrichment rules in your environment.
To access the enrichment rules, log into the Log Stream application and click the Enrichments tab at the top.
Navigating the Enrichments Tab
The Enrichments tab provides access to manage all of the enrichment rules in your environment. The tab includes two main sections, as shown in the following image and described in the numbered points below.
 |
The charts in the top section of the Enrichment tab visualize the following usage data about your enrichment rules:
Enabled Enrichment Health Status – The pie chart in the upper left corner of the tab shows the current status of all the enabled enrichment rules in your environment. It shows the total number of rules that are in an enabled status. When you hover your cursor over different slices of the pie chart, a pop up tooltip shows how many of those enabled rules are active (within the last 24 hours) and how many are idle.
If you click on the active or idle parts of the pie chart, the list of enrichments shown in the rules table is filtered to display only the active or idle rules (corresponds to filtering by the Health column of the table).
Most Active Enrichment Rules – This chart in the upper right corner of the tab show the enrichment rules that have been the most active over a given time range. By default, the chart is filtered to show top rules over the last 24 hours. You can change the time range to the last 7 or last 30 days.
The table in the bottom section of the Enrichment tab lists all of the enrichment rules available in your environment. You can interact with the table in the following ways:
View information – The following columns of information are available for each enrichment rule:
Type – Indicates the type of the enrichment rule. Click the filter icon (
) in the column heading to filter the type of rules displayed in the table. The following rule types are available:Default (
) – An Exabeam-create enrichment rule.Custom (
) – A user-created enrichment rule.Event Selection (
) – An Exabeam-create enrichment rule that can be used in conjunction with event filtering.
Name – Shows the name of each enrichment rule. You can use the search bar above the table to find rules with a specific word or phrase in the name.
24H Usage – Provides a thumbnail visualization of the usage for each rule during the past 24 hours. It provides both an overall count and a small line chart of activity. For the most active rules in the table, the count matches the data in the Most Active Enrichment Rules chart in the top left of the Enrichment tab. In the thumbnail line chart for each rule, you can hover your cursor over the peaks to view the count for that specific point in the 24 hour period. You can also click the small arrow next to the column header to sort the table in ascending or descending order by this column.
Status – Indicates whether each enrichment rule is in an enabled or disabled status. You can click the filter icon (
) in the column heading to filter the display of rules in the table to show only enabled or disabled rules.Health – Indicates whether each enrichment rule is active or idle, based on the usage data for the last 24 hour period. You can click the filter icon (
) in the column heading to show only active or idle rules in the table.Updated – Shows the date and time when each enrichment rule was enabled, disable, or modified, and by whom. You can click the small arrow next to the column header to sort the table in ascending or descending order by the dates and times in this column.
Perform individual actions – Click the options menu (
) on the right side of each row to perform the following actions on a specific enrichment rule:View Details – Select this option to open a panel with detailed information about the enrichment rule and its configuration. The panel includes the conditions that are configured to define when the rule is applied and the mapping of field names to field values.
Disable or Enable – If a rule is enable, select the Disable option to disable it. If the rule is disabled, click the Enable option to enable it. You will be prompted to confirm either selection.
Export – Select this option to export an enrichment rule. An Export Enrichments dialog box opens where you can choose to export only the selected enrichment rule or all of the rules in the table. When you click Export, the rule is exported in a HOCON-compatible format as a
.conffile.Tip
You can open the downloaded .conf file, edit the conditions and mapping, and import the file back into Log Stream where it will appear as a custom enrichment rule. Note that rule names must be unique.
Perform bulk actions – Use the check box column on the far left of the table to perform bulk actions. You can click the check box in the header of the column to select all of the enrichment rules on the page, or hover your cursor over the check box column for given rows and select multiple specific rules. Then you can click options to Disable, Enable, or Export all of the selected rules.
Once you start selecting multiple check boxes, the check box in the header row turns into a unselect icon. You can click it to unselect all of the currently selected rows.
Import rules – Click the Import option at the top of the Enrichment tab to import new or edited enrichment rules. When the Import Enricher dialog box opens, click Select File to navigate to a HOCON-compatible
.conffile that you want to import. When you've selected a file, click Import Enricher. The.conffile is imported into Log Stream where the enrichment rule is listed as a custom rule.