Categorize Events Based on Values in More Fields
Categorize events based on values across multiple fields - the example uses a combination of in() with case, match(), and if()
Query
case { in(srcIP, values=["192.168.1.*"])
| type := "Internal"; !in(loglevel, values=["DEBUG", "INFO"])
| type := "Critical";
| type := "Other" }Introduction
The in() function can be used to select events in
which the given field contains specific values. It is possible to
combine the in() with a case statement to
categorize events.
In this more advanced example, a case statement is used to categorize
events based on the fields srcIP
and loglevel, using both
in() and negated in(). Notice
that the semi-colon is used to end the different logical expressions.
Example incoming data might look like this:
| srcIP=192.168.1.5 loglevel=ERROR status=404 user=admin |
| srcIP=10.0.0.1 loglevel=INFO status=200 user=user1 |
| srcIP=172.16.0.5 loglevel=WARN status=422 user=user2 |
| srcIP=192.168.1.15 loglevel=ERROR status=500 user=admin |
| srcIP=10.0.0.12 loglevel=DEBUG status=302 user=user1 |
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
case { in(srcIP, values=["192.168.1.*"]) | type := "Internal"; !in(loglevel, values=["DEBUG", "INFO"]) | type := "Critical"; | type := "Other" }Returns all events with values starting with
192.168.1.*followed by anything in the scrIP field and then creates a new field named type with the assigned valueInternalfor the returned results. Notice that since the wildcard is used, the double-quotes is required.Next, the query searches for events where the field loglevel does not contain the values
DEBUGorINFOand assigns the valueCriticalto the returned results in the type field. For anything else, it sets the value in the type field toOther.In this example,
INFOandDEBUGwill therefore be set toOther. The above case statement can also be expressed like this: If the sourceIP equals the value192.168.1.*followed by anything, then identify the type field asInternal. If it is not equal to the loglevel of debug or info, then identify the type field asCritical. If it does not match either of the above, identify the type field asOther. Event Result set.
Summary and Results
The query is used to to categorize events and define their type.
Sample output from the incoming example data:
| srcIP | loglevel | status | user | type |
|---|---|---|---|---|
| 192.168.1.5 | ERROR | 404 | admin | Internal |
| 10.0.0.1 | INFO | 200 | user1 | Other |
| 172.16.0.5 | WARN | 422 | user2 | Critical |
| 192.168.1.15 | ERROR | 500 | admin | Internal |
| 10.0.0.12 | DEBUG | 302 | user1 | Other |