enrich
Resets data with a context.
context::enrich name:string, key=any,
[into=field, mode=string, format=string]Description
The context::inspect operator shows details about a specified context.
name: string
The name of the context to inspect.
key = any
The field to use for the context lookup.
into = field (optional)
The field into which to write the enrichment.
Defaults to the context name (name).
mode = string (optional)
The mode of the enrichment operation:
set: overwrites the field specified byinto.append: appends into the list specified byinto. Ifintoisnullor anemptylist, a new list is created. Ifintois not a list, the enrichment will fail with a warning.
Defaults to set.
format = string (optional)
The style of the enriched value:
plain: formats the enrichment as retrieved from the context.ocsf: formats the enrichment as an OCSF Enrichment object with fieldsdata,provider,type, andvalue.
Defaults to plain.
Examples
Enrich with a lookup table
Create a lookup table:
context::create_lookup_table "ctx"Add data to the lookup table:
from [
{x:1, y:"a"},
{x:2, y:"b"},
]
context::update "ctx", key=x, value=yEnrich with the table:
from {x:1}
context::enrich "ctx", key=x{
x: 1,
ctx: "a",
}Enrich as OCSF Enrichment
Assume the same table preparation as above, but followed by a different call to
context::enrich using the format option:
from {x:1}
context::enrich "ctx", key=x, format="ocsf"{
x: 1,
ctx: {
created_time: 2024-11-18T16:35:48.069981,
name: "x",
value: 1,
data: "a",
}
}Enrich by appending to an array
Enrich twice with the same context and accumulate enrichments into an array:
from {x:1}
context::enrich "ctx", key=x, into=enrichments, mode="append"
context::enrich "ctx", key=x, into=enrichments, mode="append"{
x: 1,
enrichments: [
"a",
"a",
]
}See Also
context::create_bloom_filter,
context::create_geoip,
context::create_lookup_table,
context::inspect,
context::list,
context::load,
context::remove,
context::reset,
context::save,
context::update