Example: Enrich events with node details according to the node kind

To enrich the detailed message event slot, perform the following steps:

1. Define the event selection criteria.
2. Build the policy workflow.

Actions used in the example

• Variable
• Enrich

For more information about actions, see Actions-for-advanced-and-time-based-enrichment.

To define the event selection criteria

1. Select Configuration > Event Policies and click Create.
2. In Event Selection Criteria, define a condition to select events that contain the message LookupNodeDetailsByKind.

The following image illustrates how the event selection criteria will look:

To learn how to construct the event selection criteria, see Creating-and-enabling-event-policies.

To build the policy workflow

On the Advanced Enrichment page, perform the following steps:

TipYou can hover over an action to view the complete label for the action as shown:

1. Add the Function action to specify the node details for the Host kind and in the Function field of the function settings, select LookupNodeDetailsByKind; specify the node selection criteria, node attributes, node kind, and click Apply.
2. Add an Enrich action to enrich the Model Name slot and in the Value field of the enrichment settings, click Variable; select $NODE.type and click Apply.
   
   
   
3. Add an Enrich action to enrich the detailed message in the event and in the Value field of the enrichment settings, click Function; select the Concat function to append the node OS details to the Detailed Message slot value, click Apply, and save the advanced enrichment policy configuration.

Results

The preceding policy workflow enriches the value of the event location and tags on the Event Details page.

Without event enrichment

With event enrichment