PostEvents
The PostEvents action posts an array of events to the QRadar event pipeline, which allows the events to be parsed, correlated, and stored.
The following table shows the parameters for the PostEvents action.
Name | Data type | Required | Notes |
---|---|---|---|
path | JPath | Yes | The path of the array element to post. |
encoding | String | No |
The encoding of the event. Possible values:
The default is UTF-8. |
source | String | Yes (Optional field for V2_1) |
The source (host) of the event. The source value is used to route the event within the event pipeline to the correct log source. The event is matched to the log source identifier of an existing log source. For V1 and V2, if no log source exists with a matching log source identifier, the event is stored without parsing and a copy of the event is sent to the log source autodetection engine. For V2_1, if no source attribute is defined in the workflow, the value of the log source identifier is used as the event generation source. If a log source is autodetected from the event, it is created with its log source identifier set to the source value. |
XML Example:
- For V1 and V2
-
This action posts the array of strings that are stored in the State at /events into the QRadar event pipeline as a series of events. If a log source has a log source identifier that matches the value that is stored in /host, the events are routed to that log source.
<PostEvents path="/events" host="${/host}" >
- For V2_1
- This action posts the array of strings that are stored in the State at /events into the QRadar
event pipeline as a series of events.
<PostEvents path=”/events”>