Overview of enrichment status

When an enrichment policy is applied to a log entry, the enrichment_audit field is added to the logs with any of the following status:

  • Enriched: When enrichment is applied successfully by using all target fields configured in an enrichment source.
  • Enrichment_Pending: When the enrichment algorithm is contacting the enrichment source and meanwhile a log is collected, the enrichment_audit status is set as Enrichment_Pending. This status is usually applied when the algorithm is connecting with an enrichment source for the first time and a log entry is collected while the connection is being established.
  • Enrichment_Insufficent_Data: When the field configured in Source Field Path is not found in the logs.
  • Enriched_Partially: When only partial target enrichment fields are added to logs.
  • Enrichment_Not_Found: When the algorithm has not cached values from the CSV file. This status is applicable to CSV enrichment sources only. 
  • Enrichment_Failed: When there is an error or exception in contacting the enrichment source or enrichment configurations are incorrect.

 Here is the format of the enrichment_audit field value:

<policy_name>:<”Configuration-” + “Configuration display order”>:<enrichment_status>

enrichment_audit.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*