Version: Next

ameenrich Command

Description

The ameenrich command enriches indexed events with information from the event KV-store collections. The command gives access to tenant data based on the user executing the command.

An example use case is to query audit logs from the tenant index. Each audit event contains an event_key field. An event could be, e.g., an event status change. The indexed event itself does not include metadata about the event (e.g., the search name that triggered the event). Using the ameenrich command, the user can enrich the indexed event.

Syntax

The required syntax is bold.

Optional arguments

tenants
Syntax: tenants=<tenant_list> | <wc>
Description: A comma-separated and quoted list of tenants or a wildcard for all tenants. Example: tenants="default,sec,ops"
Default: tenants=*

status
Syntax: status=<status_list> | <wc>
Description: A comma-separated and quoted list of statuses or a wildcard for all statuses. Note that all_open and all_closed can be also used Example: status="new,in_progress,closed" Default: status=*

status_types
Syntax: status_types_list=<status_types_list> Description: A comma-separated and quoted list of statuses for the status types new, in_progress and done Example: status_type="new,in_progress"
Default: status_types=*

assignees
Syntax: assignees=<assignee_list> | <wc>
Description: A comma-separated and quoted list of assignees or a wildcard for all assignees. Example: assignees="user1,user2,user3"
Default: assignees=*

tags
Syntax: tags=<tag_list> | <wc>
Description: A comma-separated and quoted list of tags or a wildcard for all tags. Example: tags="tag1,tag2,tag3"
Default: tags=*

tag_mode
Syntax: tag_mode=<AND> | <OR>
Description: The tag search mode. Example: tag_mode="AND"
Default: tag_mode="OR"

saved_searches
Syntax: saved_searches=<saved_searches_list> | <wc>
Description: A JSON formatted list of saved_search names or a wildcard for all tags. Example: saved_searches="[\"saved_search1\",\"saved_search2\"]"
Default: saved_searches="*"

fields
Syntax: fields=<fields_list> | <wc>
Description: A comma-separated and quoted list of fields or a wildcard for all tags. Example: fields="status,count"
Default: fields=*

sla_info
Syntax: sla_info=<bool> Description: Boolean value to indicate whether to include SLA information in the results. Example: sla_info="true" Default: sla_info="false"

has_slas
Syntax: has_slas=<bool> Description: Boolean value to indicate whether to include events that have SLAs. Example: has_slas="true" Default: None

has_sla_violations
Syntax: has_sla_violations=<bool> Description: boolean value to indicate whether to include events that have SLA violations. Example: has_sla_violations="true" Default: None

has_sla_violations_within
Syntax: has_sla_violations_within=<bool> Description: Integer value to indicate the number of seconds remaning until an SLA is violated. Example: has_sla_violations_within="300" Default: None

Examples

Enrich events with data from Alert Manager Enterprise
```
```text
| ameenrich
```  
```
Enrich events with data from Alert Manager Enterprise, but only for the fields named status and count
```
    ```text
    | ameenrich fields="status,count"
    ```
```

Enrich events with data from Alert Manager Enterprise, for the fields status, assignee and tenant, but only if the assignee is analyst_03 or engineer_04. Then search for events that were enriched.

    ```text
    index=ame_default sourcetype="ame-index-entry" 
    | ameenrich assignees="analyst_03,engineer_04" fields="status,assignee,tenant" 
    | search filter_matched=1
    ```

Search for a single event key and enrich the data

```text
| eval event_key=653be0730281cce7620c5fd0 | ameenrich 
```

Search for a single event key and enrich the data with SLA information.

```text
| eval event_key=653be0730281cce7620c5fd0 | ameenrich sla_info="true"
```

Description​

Syntax​

Optional arguments​

Examples​

Description

Syntax

Optional arguments

Examples