Skip to main content
Version: 3.1.0

ameenrich Command

Description

The ameenrich command enriches indexed events with information from the event KV-store collections. The command gives access to tenant data based on the user executing the command.

An example use case is to query audit logs from the tenant index. Each audit event contains an event_key field. An event could be, e.g., an event status change. The indexed event itself does not include metadata about the event (e.g., the search name that triggered the event). Using the ameenrich command, the user can enrich the indexed event.

Syntax

The required syntax is bold.

ameenrich [tenants=<tenant_list> | <wc>]
[status=<status_list> | <wc>]
[assignees=<assignee_list> | <wc>]
[tags=<tags-list> | <wc>]
[tags_mode=<AND | OR>]
[saved_searches=<JSON formatted <saved_searches_list> | <wc>]
[fields=<fields_list> | <wc>]

Optional arguments

tenants
Syntax: tenants=<tenant_list> | <wc>
Description: A comma-separated and quoted list of tenants or a wildcard for all tenants. Example: tenants="default,sec,ops"
Default: tenants=*

status
Syntax: status=<status_list> | <wc>
Description: A comma-separated and quoted list of statuses or a wildcard for all statuses. Note that all_open and all_closed can be also used Example: status="new,in_progress"
Default: status=*

assignees
Syntax: assignees=<assignee_list> | <wc>
Description: A comma-separated and quoted list of assignees or a wildcard for all assignees. Example: assignees="user1,user2,user3"
Default: assignees=*

tags
Syntax: tags=<tag_list> | <wc>
Description: A comma-separated and quoted list of tags or a wildcard for all tags. Example: tags="tag1,tag2,tag3"
Default: tags=*

tag_mode
Syntax: tag_mode=<AND> | <OR>
Description: The tag search mode. Example: tag_mode="AND"
Default: tag_mode="OR"

saved_searches
Syntax: saved_searches=<saved_searches_list> | <wc>
Description: A JSON formatted list of saved_search names or a wildcard for all tags. Example: saved_searches="[\"saved_search1\",\"saved_search2\"]"
Default: saved_searches="*"

fields
Syntax: fields=<fields_list> | <wc>
Description: A comma-separated and quoted list of fields or a wildcard for all tags. Example: fields="status,count"
Default: fields=*

Examples

  1. Enrich events with data from Alert Manager Enterprise

    ```text
    | ameenrich
    ```

  2. Enrich events with data from Alert Manager Enterprise, but only for the fields named status and count

        ```text
        | ameenrich fields="status,count"
        ```

  3. Enrich events with data from Alert Manager Enterprise, for the fields status, assignee and tenant, but only if the assignee is analyst_03 or engineer_04. Then search for events that were enriched.

        ```text
        index=ame_default sourcetype="ame-index-entry" 
        | ameenrich assignees="analyst_03,engineer_04" fields="status,assignee,tenant" 
        | search filter_matched=1
        ```

  4. Search for a single event

    ```text
    | eval event_key=653be0730281cce7620c5fd0 | ameenrich 
    ```