Field Alias Lookup & Enricher

Lookup

Field Alias lookup contains information about canonical names of event attributes, together with their possible aliases (like short names etc.).

Field Alias lookup ID must contain the following substring: field_alias

The lookup record has the following structure:

key: canonical_name
value: {
    "aliases": [
        alias1,  # f. e. short name
        alias2,  # f. e. long name
        ...
    ]
}

The field aliases can be specified in parsers’, standard enrichers’ and correlators’ define section, so that alias names used in the declarative file (like !ITEM EVENT alias) are translated to canonical names, when accessing an existing element (i. e. !ITEM EVENT alias or !ITEM EVENT canonical_name).

Also, the lookup should be used in Field Alias enricher to transform all aliases into canonical names after successful parsing in LogMan.io Parser.

Enricher

Field Alias enriches the event with canonical names of the existing attributes, that are named by one of the specified aliases, while deleting the alias attributes in the event.

Declaration

---
define:
  name: FieldAliasEnricher
  type: enricher/fieldalias
  lookup: field_alias.default

Section define

This section defines the name and the type of the enricher, which in the case of Field Alias is always enricher/fieldalias.

Item name

Shorter human-readable name of this declaration.

Item type

The type of this declaration, must be enricher/fieldalias.