Identifier Environment

An identifier environment is used to specify the data models, when those parts are not present in a key identifier.

The identifier environment is composed of:

  • [Default data model <identifier>]

The identifier environment follows a hierarchical structure when resolving a missing part in an identifier. The order is as follows:

  • Event Group Environment
  • Correlation Rule Environment
  • Ruleset Environment
  • Root Environment (defined outside ECL itself)
    • For Correlation REST API: this is the environment parameter.
    • For Web application: this is related to the currently logged in user.

Limitations

  • The only possible value for tenant is: tenant1
  • The only possible value for domain is: shared
  • The only possible value for source is: correlation

Simple Identifier

The simple identifier must be defined using letters, numbers, underscore (_), and dollar sign ($) with or without single quotes (' '). If single quotes (' ') are not used, use square brackets ([ ]), or back quotes (` `).

For example: ('a'..'z'|'A'..'Z') ('a'..'z'|'A'..'Z'|'0'..'9'|'_'|'$')*

Key Identifier

An identifier is composed of four parts separated by dots. An identifier part follows the syntax of the simple identifier. The identifier parts are:

  • Tenant name
  • Domain name
  • Source configuration name
  • Field name (or column name)

The key identifier can be defined as follows: 

[[[<tenant identifier>.]<domain identifier>.]<source config identifier>.]<field
identifier>

The <field identifier> is mandatory part. If the other identifier parts are not defined, they are automatically extracted from the identifier environment.

Limitations:

  • The only possible value for tenant is: tenant1
  • The only possible value for domain is: shared
  • The only possible value for source is: correlation