Processing events with advanced enrichment and time-based enrichment policies
An event policy can be used to configure different policy types to perform basic event enrichment, event suppression, to send notifications, and so on. Each of these policies cater to specific use cases for processing events and enriching them or performing specific actions. However, advanced enrichment and time-based enrichment policies help you perform advanced processing and enrichment and help you cater to complex use cases.
Basic enrichment versus advanced enrichment
Basic enrichment can be done by configuring an enrichment policy to enrich particular event information through specified event slots only. For example, you can only enrich event information such as severity, priority, category, message, and location.
However, with an advanced enrichment policy you can enrich other event slots in addition to those that are configurable with basic enrichment. You can also set up advanced actions for processing events. These actions can be used to perform advanced event processing such as using mathematical functions to arrive at the event slot value, performing lookups on existing events, adding advanced conditions based on which the processing should take place, or based on which the processing must be triggered.
Similarly, time-based enrichment can be considered as an extension of advanced enrichment, which is available to you as a separate policy type to cater to a specific use case.
Basic enrichment can be very useful for simple, routine actions that you want to apply for many events. But if you want to perform complex event manipulation on a small subset of events, advanced enrichment policies might be more appropriate.
Advanced enrichment versus time-based enrichment
Advanced enrichment policy provides you a canvas to build configurations for a combination of isolated use cases used for processing and enriching events. In a way, advanced enrichment provides you a superset of tools that can be combined as per your needs to build a policy workflow.
Similar to an advanced enrichment policy, a time-based enrichment policy allows you to combine various actions to build a policy workflow. The difference is that time-based enrichment policy allows you to schedule a time duration after which actions need to be taken.
Time-based enrichment is meant to help you focus on processing and enriching events with a time perspective. Therefore, the number of actions available in time-based enrichment policy are lesser compared to the advanced enrichment policy.
The following topics can help you understand these policies better: