Enrichment Lists
If the data you want to search is more dynamic and changes often, it might be difficult to create a query that would collect the right information.
In such cases, you can use an enrichment list and reference the list in any query or in
Predefined Functions to achieve accurate results. From the
Advanced Search tab, you can use a enrichment list in your search query.
LogLogic LMI provides some built-in enrichment lists, for example,
mapRuleAction. You can refer to the built-in lists as a guideline to create your own.
Use the following syntax to run a search query with an enrichment list:
use <nameOfDataModel> | $<NameofEnrichmentList>(<ColumnName>)='<keyname>' where:- <nameOfAdvancedDataModel> is the name of the data model to be queried
- <NameofEnrichmentList> is the name of the enrichment list
- <ColumnName> is the column name or field name in which you want to search for values
- <keyname> is the key name that is associated with the value to be searched in <ColumnName>. The <keyname> must be identical to what is provided in the enrichment list configuration.
For example, consider the search query:
use LogLogic_Appliance |$ipBlackList(ll_eventActionID)='reserved'
The Enrichment List ipBlackList contains some value mapped to the key name reserved. This value is searched in the column ll_eventActionID of the data model LogLogic_Appliance. We want the search result to display all log events that match the value of the key name reserved.
Copyright © Cloud Software Group, Inc. All rights reserved.