ameenrich Command
Description
The ameenrich command enhances indexed events with data from Alert Manager Enterprise (AME) KV Store collections, providing
tenant-specific information based on the executing user’s permissions.
For example, you can query tenant audit logs (stored in the tenant index) where each audit event includes an event_key
field (e.g., for a status change). While the indexed event lacks metadata like the triggering search name, ameenrich adds this context.
Syntax
Required syntax is in bold.
ameenrich
[tenants=<tenant_list> | <wc>]
[status=<status_list> | <wc>]
[status_types=<status_types_list> | <wc>]
[assignees=<assignee_list> | <wc>]
[tags=<tags-list> | <wc>]
[tags_mode=<AND | OR>]
[saved_searches=<JSON formatted <saved_searches_list> | <wc>]
[fields=<fields_list> | <wc>]
[sla_info=<bool>]
[has_slas=<bool>]
[has_sla_violations=<bool>]
[has_sla_violation_within=<int>]
Optional Arguments
tenants
Syntax: tenants=<tenant_list> | <wc>
Description: A comma-separated and quoted list of tenants or a wildcard
for all tenants. Example: tenants="default,sec,ops"
Default: tenants=*
status
Syntax: status=<status_list> | <wc>
Description: A comma-separated and quoted list of statuses or a wildcard
for all statuses. Note that all_open and all_closed can be also used
Example: status="new,in_progress,closed"
Default: status=*
status_types
Syntax: status_types_list=<status_types_list>
Description: A comma-separated and quoted list of statuses for the status types new, in_progress and done
Example: status_type="new,in_progress"
Default: status_types=*
assignees
Syntax: assignees=<assignee_list> | <wc>
Description: A comma-separated and quoted list of assignees or a wildcard
for all assignees. Example: assignees="user1,user2,user3"
Default: assignees=*
tags
Syntax: tags=<tag_list> | <wc>
Description: A comma-separated and quoted list of tags or a wildcard for
all tags. Example: tags="tag1,tag2,tag3"
Default: tags=*
tag_mode
Syntax: tag_mode=<AND> | <OR>
Description: The tag search mode. Example: tag_mode="AND"
Default: tag_mode="OR"
saved_searches
Syntax: saved_searches=<saved_searches_list> | <wc>
Description: A JSON formatted list of saved_search names or a
wildcard for all tags.
Example: saved_searches="[\"saved_search1\",\"saved_search2\"]"
Default: saved_searches="*"
fields
Syntax: fields=<fields_list> | <wc>
Description: A comma-separated and quoted list of fields or a wildcard for
all tags. Example: fields="status,count"
Default: fields=*
sla_info
Syntax: sla_info=<bool>
Description: Boolean value to indicate whether to include SLA information in the results. Example: sla_info="true"
Default: sla_info="false"
has_slas
Syntax: has_slas=<bool>
Description: Boolean value to indicate whether to include events that have SLAs. Example: has_slas="true"
Default: None
has_sla_violations
Syntax: has_sla_violations=<bool>
Description: boolean value to indicate whether to include events that have SLA violations. Example: has_sla_violations="true"
Default: None
has_sla_violations_within
Syntax: has_sla_violations_within=<bool>
Description: Integer value to indicate the number of seconds remaning until an SLA is violated. Example: has_sla_violations_within="300"
Default: None
Examples
Enrich events with data from Alert Manager Enterprise
```text
| ameenrich
```Enrich events with data from Alert Manager Enterprise, but only for the fields named status and count
```text
| ameenrich fields="status,count"
```Enrich events with data from Alert Manager Enterprise, for the fields status, assignee and tenant, but only if the assignee is analyst_03 or engineer_04. Then search for events that were enriched.
```text
index=ame_default sourcetype="ame-index-entry"
| ameenrich assignees="analyst_03,engineer_04" fields="status,assignee,tenant"
| search filter_matched=1
```Search for a single event key and enrich the data
```text
| eval event_key=653be0730281cce7620c5fd0 | ameenrich
```Search for a single event key and enrich the data with SLA information.
```text
| eval event_key=653be0730281cce7620c5fd0 | ameenrich sla_info="true"
```