A log message is a wealth of information for an operator. It helps in troubleshooting an issue and finding the root cause.
Enrichment in logs helps you to add meaningful information to the log messages that will make search and analysis easier and more meaningful. Enriched logs are visualized better and bring out useful information and statistics. For example, you can enrich IPAddress, a field in logs, with geographical information like city, country code, longitude, and latitude that you can fetch from a GeoIP server. BMC Helix Log Analytics adds these additional details in real-time.
BMC Helix Log Analytics enables you to enrich logs from the following sources:
- CSV files
The following video (2:26) shows a high-level summary of the enrichment feature in BMC Helix Log Analytics.
As an administrator, enrich logs by following the steps explained in the following table:
Plan log enrichment based on the following information:
For example, by using the IPAddress field in the logs, you might want to enrich the logs with the geographical information (like city, zip code, and so on) by connecting to your GeoIP server and get the relevant information.
To plan enrichment better, understand how enrichment is applied to logs based on the precedence, conditions, and enrichment sources configured in an enrichment policy.
|How log enrichment works|
|Add enrichment sources|
Based on the enrichment that you want to add to logs, add the source that will enrich the logs. You need the following information to add an enrichment source:
For the user_id example, the source to enrich the field is the GeoIP server of your organization.
|Adding enrichment sources|
|Add enrichment policy|
An enrichment policy defines the condition that triggers enrichment and applies the enrichment source to logs.
For example, you enrich the IPAddress field with geographical details when server == 188.8.131.52.
|Creating enrichment policies|