context::enrich

Enriches events with data from a context.

context::enrich name:string, key=any,
               [into=field, mode=string, format=string]

Description

The context::enrich operator enriches events with data from a context.

The name of the context to enrich with.

The field to use for the context lookup.

The field into which to write the enrichment.

Defaults to the context name (name).

The mode of the enrichment operation:

set: overwrites the field specified by into.
append: appends into the list specified by into. If into is null or an empty list, a new list is created. If into is not a list, the enrichment will fail with a warning.

Defaults to set.

The style of the enriched value:

plain: formats the enrichment as retrieved from the context.
ocsf: formats the enrichment as an OCSF Enrichment object with fields data, provider, type, and value.

Defaults to plain.

Create a lookup table:

context::create_lookup_table "ctx"

Add data to the lookup table:

from {x:1, y:"a"},
     {x:2, y:"b"}
context::update "ctx", key=x, value=y

Enrich with the table:

from {x:1}
context::enrich "ctx", key=x

{
  x: 1,
  ctx: "a",
}

Assume the same table preparation as above, but followed by a different call to context::enrich using the format option:

from {x:1}
context::enrich "ctx", key=x, format="ocsf"

{
  x: 1,
  ctx: {
    created_time: 2024-11-18T16:35:48.069981,
    name: "x",
    value: 1,
    data: "a",
  }
}

Enrich twice with the same context and accumulate enrichments into an array:

from {x:1}
context::enrich "ctx", key=x, into=enrichments, mode="append"
context::enrich "ctx", key=x, into=enrichments, mode="append"

{
  x: 1,
  enrichments: [
    "a",
    "a",
  ]
}