Order for applying policies

In BMC Helix Log Analytics, you can create the following policies:

  • Alert
  • Enrichment
  • Field extraction

These policies are applied to the incoming logs in the following order:

Policy_Application_Order.jpg

The following video (2:48) describes the order for applying policies and its importance.


icon-play@2x.png https://youtu.be/EXCxjo5GgRM

Let's understand how this order will help you. For example, you are collecting the following logs:

Default_log_message.jpg

You have configured a field extraction policy that extracts the name, srceventtype, and tenantID fields from the log message. Before the log entry is saved, these fields are extracted from the message.

ExtractedFields_in_Logs.png

Next, enrichment policies are applied. For example, you configured an enrichment policy that uses a CSV enrichment source and adds host and service names to the log.

Enrichment_policy.jpg

Operators can use the extracted fields to analyze logs effectively. There is another use of these fields. Note that the Policy Selection Criteria in the enrichment policy uses the srceventtype field that you have extracted from the log message. You could use it in the enrichment policy because the field extraction policy was applied first.

Next, the alert policies are applied. If the collected logs meet the conditions configured in the alert policy, an event is generated. 

AlertPolicy_Event.jpg

You can use the extracted and enriched fields to configure the policy selection criteria of an alert policy.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*