Example: Enriching event information using lookup tables
Lookup tables use information in your events to determine how to add other fields from external data sources such as CSV files. Event policies can contain multiple lookup tables. Some event fields have more options then others. For instance, you can only replace the attribute Hostname while you can prepend, append, and replace the attribute Summary.
About this task
A basic example would be using the lookup table that we created in Creating lookup tables with application names and a summary update to add summary information to an event. You might have a monitoring tool that sends event data about the applications, but it's not immediately clear which application is affected. Using the enrich action and lookup capability, you can add more detail to the summary, making it more helpful in understanding the issue at a glance.
Lets examine how this lookup table is applied in the following policy example. In Figure 1 the value in the event of the attribute Application (seen in Figure 4) is compared with the value in the column applicationname in Figure 1. If a match is found, in this case in row 3 (highlighted in red), then the value in the summaryupdate column of row 3 will be appended to the Event summary as shown in Figure 2.
Procedure
Results
When events match the set conditions, the event information will be enriched with the correlated values from the lookup table, as specified by the lookup criteria.