Field Alias Lookup & Enricher¶
Lookup¶
Field Alias lookup contains information about canonical names of event attributes, together with their possible aliases (like short names etc.).
Field Alias lookup ID must contain the following substring: field_alias
The lookup record has the following structure:
key: canonical_name
value: {
"aliases": [
alias1, # f. e. short name
alias2, # f. e. long name
...
]
}
The field aliases can be specified in parsers', standard enrichers' and correlators'
define section, so that alias names used in the declarative file (like !ITEM EVENT alias
)
are translated to canonical names, when accessing an existing element
(i. e. !ITEM EVENT alias
or !ITEM EVENT canonical_name
).
Also, the lookup should be used in Field Alias enricher to transform all aliases into canonical names after successful parsing in LogMan.io Parser.
Enricher¶
Field Alias enriches the event with canonical names of the existing attributes, that are named by one of the specified aliases, while deleting the alias attributes in the event.
Declaration¶
---
define:
name: FieldAliasEnricher
type: enricher/fieldalias
lookup: field_alias.default
Section define
¶
This section defines the name and the type of the enricher,
which in the case of Field Alias is always enricher/fieldalias
.
Item name
¶
Shorter human-readable name of this declaration.
Item type
¶
The type of this declaration, must be enricher/fieldalias
.