Skip to content

Complex Event Parser

Complex Event Parser parses incoming complex events such as lookup events (i. e. create, update, delete of a lookup) and puts them into lmio-output topic in Kafka.

From there, the parsed complex events are also posted to input topic by LogMan.io Watcher instances, so that correlators and dispatchers may react to the events as well.

Sample declaration

The sample YAML declaration for lookup events in Complex Event Parser may look as follows:

p00_json_preprocessor.yaml

---
define:
  name: Preprocessor for JSON with tenant extraction
  type: parser/preprocessor
  tenant: JSON.tenant

function: lmiopar.preprocessor.JSON

p01_lookup_event_parser.yaml

---
define:
  name: Lookup Event Parser
  type: parser/cascade

predicate:
  !AND
  - !ISNOT
    - !ITEM CONTEXT JSON.lookup_id
    - !!null
  - !ISNOT
    - !ITEM CONTEXT JSON.action
    - !!null

parse:
  !DICT
  set:
    "@timestamp": !ITEM CONTEXT "JSON.@timestamp"
    end: !ITEM CONTEXT "JSON.@timestamp"
    deviceVendor: TeskaLabs
    deviceProduct: LogMan.io
    dvc: 172.22.0.12
    dvchost: lm1
    deviceEventClassId: lookup:001
    name: !ITEM CONTEXT JSON.action
    fname: !ITEM CONTEXT JSON.lookup_id
    fileType: lookup
    categoryObject: /Host/Application
    categoryBehavior: /Modify/Configuration
    categoryOutcome: /Success
    categoryDeviceGroup: /Application
    type: Base
    tenant: !ITEM CONTEXT JSON.tenant
    customerName: !ITEM CONTEXT JSON.tenant

The declarations should always be part of LogMan.io Library.