Order for applying policies
In BMC Helix Log Analytics, you can create the following policies:
- Alert
- Enrichment
- Field extraction
These policies are applied to the incoming logs in the following order:
The following video (2:48) describes the order for applying policies and its importance.
Let's understand how this order will help you. For example, you are collecting the following logs:
You have configured a field extraction policy that extracts the name, srceventtype, and tenantID fields from the log message. Before the log entry is saved, these fields are extracted from the message.
Next, enrichment policies are applied. For example, you configured an enrichment policy that uses a CSV enrichment source and adds host and service names to the log.
Operators can use the extracted fields to analyze logs effectively. There is another use of these fields. Note that the Policy Selection Criteria in the enrichment policy uses the srceventtype field that you have extracted from the log message. You could use it in the enrichment policy because the field extraction policy was applied first.
Next, the alert policies are applied. If the collected logs meet the conditions configured in the alert policy, an event is generated.
You can use the extracted and enriched fields to configure the policy selection criteria of an alert policy.