Enrich
Enrich (enrich)
Look up values in a CSV or Sqlite database and add matching fields.
Enrichment json
Minimal example
actions: - enrich: lookup: csv: ""JSON
{ "actions": [ { "enrich": { "lookup": { "csv": "" } } } ]}Contents
Fields
| Field | Type | Required | Description |
|---|---|---|---|
lookup | Lookup | ✅ | CSV file or Sqlite file containing enrichment information. |
description | string | describe this step. | |
condition | lua-expression (string) | Only run this action if the specified condition is met. Examples: 2 * count() | |
dynamic | boolean (bool) | The lookup file may not exist at job creation time. | |
add | Add | A field value to add to the event. | |
event-fields | map (object) | Add multiple fields to a single event based on a single match, providing a default. | |
match | Match[] | Match event values against lookup column values. | |
suppress-warnings | boolean (bool) | Suppress warnings generated by this action. |
Schema
- Lookup Options
- Lookup - Sqlite Fields
- Lookup - Worker Database Fields
- Add Fields
- Match Fields
- Match - Type Options
Lookup Options
| Option | Name | Type | Description |
|---|---|---|---|
csv | Csv | string | The source is a CSV file. Examples: /path/to/file, c:\users\joe\data\file.txt |
sqlite | Sqlite | object | The source is a Sqlite database. |
worker-database | Worker Database | object | The source is a worker-managed database. |
Lookup - Sqlite Fields
| Field | Type | Required | Description |
|---|---|---|---|
path | path (string) | ✅ | Path to the database. Examples: /path/to/file, c:\users\joe\data\file.txt |
table | string | ✅ | Table to use for lookup. |
Lookup - Worker Database Fields
| Field | Type | Required | Description |
|---|---|---|---|
table | string | ✅ |
Add Fields
| Field | Type | Required | Description |
|---|---|---|---|
event-field | field (string) | ✅ | Field name to be added to the event. Examples: data_field |
lookup-field | field (string) | ✅ | Field (CSV header) to lookup data to be place in event-field. Examples: data_field |
default-value | map (object) | YAML formatted default value if the event is empty. Examples: data_field |
Match Fields
| Field | Type | Required | Description |
|---|---|---|---|
type | Type | ✅ | The type of the match. Allowed values: str, num, cidr, ip, num-range, num-list, str-list, none |
event-field | field (string) | ✅ | field containing the value to lookup. Examples: data_field |
lookup-field | field (string) | ✅ | name of CSV or database field to be compared. Examples: data_field |
Match - Type Options
| Value | Description |
|---|---|
str | plain text match |
num | numerical match |
cidr | CIDR (e.g. 192.150.0.1/24) |
ip | IP address |
num-range | A range of numbers |
num-list | a list of numbers |
str-list | A list of text values |
none | None |