Enrich Event Text via File

This functionality allows you to attach or replace text from events recorded in a repository when searched. You can do this by creating CSV (comma-separated values) files and uploading them to the repository. These files can be used together with query functions.

Creating a New File

  1. Click Files tab and then click + New File and select Create New.

  2. Specify a name for the file and then select either + Empty File to create an empty file to populate or + Package to use a template from a previously installed package.

  3. Click + to add rows and columns.

  4. Click Save to save the changes and once saved you can download the file by clicking Download.

Load CSV File

Figure 60. Load CSV File


Editing a data table through the Files interface page can be tedious. If you have many changes to make, you can download the file by clicking the Download button and then edit it in a spreadsheet program or a simple text editor.

Uploading a File

  1. Click Files tab and then click + New File and select Upload File.

  2. Browse for the file to upload and click Open.

You can upload a CSV file containing text like what you see below, which is essentially a lookup table that you can use for labels or value lookups.

yaml
userid,ip,username,region
1,"212.12.31.23","pete","EU"
2,"212.12.31.231","bob","EU"
3,"98.12.31.21","anders","EU"
4,"121.12.31.23","jeff","US"
5,"82.12.31.23","ted","AU"
6,"62.12.31.23","annie","US"
7,"122.12.31.23","joe","CH"
8,"112.11.11.21","alice","CH"
9,"212.112.131.22","admin","RU"
10,"212.12.31.23","wendy","EU"

Once it has been uploaded, it will look like what you see in. You would use such a data table together with the lookup and match functions to add labels to the results of a search. Notice that the values are in quotes, except for the ones for userid, which are integers. See the Lookup API reference page for more information on this topic.

Once you've uploaded a CSV file, you can edit the data and click + to add rows and columns, once you have finished click Save.