Lookup events

When a change in one of the lookups or its items happens, usually due to a triggered lookup event or modification via UI, all LogMan.io Correlator instances are notified using an incoming event.

The lookup change may be either the creation or deletion of the lookup or creation, update, deletion as well as deletion caused by expiration of individual lookup items.

Lookup event structure

Lookup event is a JSON structure with three mandatory attributes: action, lookup_id and data. The @timestamp and tenant attributes are added automatically as well as other configured meta attributes.

action

Specifies the action the lookup event caused. The action is taken on the entire lookup or just one of its items. Refer to the list below to see all available actions and their associated events.

lookup_id

ID/name of the lookup. The lookup ID in lookup events also contain the tenant name after the dot . character, so every component knows, which tenant the lookup is specific for.

data

Specification od lookup data (i. e. lookup item) to be created/updated, as well as meta information (in case of item deletion).

Lookup items contain their ID in _id attribute of the data structure. The _id is a string based on:

Single key

If the lookup has only one key (f. e. userName), the _id is the value itself in case of string.

'data': {
	'_id': 'JohnDoe'
}
...

If the value is bytes, _id is UTF-8 decoded string representation of the value. If the value is neither string nor bytes, it is handled the same way as ID, when using compound keys.

Compound key

If the lookup consists of more keys (f. e. [userName, location]), the _id is a hash representation of the value.

The original values are then stored in _keys attribute inside the data structure:

'data': {
	'_id': '<INTERNAL_HASH>',
	'_keys': ['JohnDoe', 'Company 1']
}
...

Create lookup

When a lookup is created, the following action is produced:

{
	'@timestamp': <UNIX_TIMESTAMP>,
	'tenant': <TENANT>,
	'action': 'create_lookup',
	'data': {},
	'metadata': {
		'_keys': ['key1name', 'key2name' ...]
		...
	},
	'lookup_id': 'myLookup.tenant'
}

Meta data contain information about the lookup creation, such as names of the individual keys (f. e. [userName, location]) in the case of compound keys.

Delete lookup

When a lookup is deleted, the following action is produced:

{
	'@timestamp': <UNIX_TIMESTAMP>,
	'tenant': <TENANT>,
	'action': 'delete_lookup',
	'data': {},
	'lookup_id': 'myLookup.tenant'
}

Create item

When an item is created, the following action is produced:

{
	'@timestamp': <UNIX_TIMESTAMP>,
	'tenant': <TENANT>,
	'action': 'create_item',
	'data': {
		'_id': 'newItemId',
		'_keys': [],
		...
	},
	'lookup_id': 'myLookup.tenant'
}

Update item

When an item is updated, the following action is produced:

{
	'@timestamp': <UNIX_TIMESTAMP>,
	'tenant': <TENANT>,
	'action': 'update_item',
	'data': {
		'_id': 'existingOrNewItemId',
		'_keys': [],
		...
	},
	'lookup_id': 'myLookup.tenant'
}

Delete item

When an item is deleted, the following action is produced.

Expiration

In case of deletion due to an expiration:

{
	'@timestamp': <UNIX_TIMESTAMP>,
	'tenant': <TENANT>,
	'action': 'delete_item',
	'data': {
		'_id': 'existingItemId',
		'reason': 'expiration'
	},
	'lookup_id': 'myLookup.tenant'
}

Delete

In other reasons:

{
	'@timestamp': <UNIX_TIMESTAMP>,
	'tenant': <TENANT>,
	'action': 'delete_item',
	'data': {
		'_id': 'existingItemId',
		'reason': 'delete'
	},
	'lookup_id': 'myLookup.tenant'
}