Run Book
Also available as:
PDF

Mapping Fields to HBase Enrichments

Now that you have data flowing into the HBase table, you need to ensure that the enrichment topology can be used to enrich the data flowing past.

You can refine the parser output in three ways:

  • Transformations

  • Enrichments

  • Threat Intel

Each of the parser outputs is added or modified in the Schema field. To modify any of the parser outputs, complete the following steps:

[Note]Note

To load sample data from your sensor, the sensor must be running and producing data.

  1. Display the Management module UI.

  2. Select the new sensor from the list of sensors on the main window.

  3. Click the pencil icon in the list of tool icons for the new sensor.

    The Management Module displays the sensor panel for the new sensor.

  4. In the Schema box, click (expand window button).

    The Management module displays a second panel and populates the panel with message, field, and value information.

    The Sample field, at the top of the panel, displays a parsed version of a sample message from the sensor. The Management module will test your transformations against these parsed messages.

    You can use the right and left arrow buttons in the Sample field to view the parsed version of each sample message available from the sensor.

  5. You can apply transformations to an existing field or create a new field. Click the (edit icon) next to a field to apply transformations to that field. Or click (plus sign) at the bottom of the Schema panel to create new fields.

    Typically users store transformations in a new field rather than overriding existing fields.

    For both options, the Management module expands the panel with a dialog box containing fields in which you can enter field information.

    Figure 4.1. New Schema Information Panel


  6. In the dialog box, enter the name of the new field in the NAME field, choose an input field from the INPUT FIELD box, and choose your transformation from the TRANSFORMATIONS field or enrichment from the ENRICHMENTS field.

    For example, to create a new field showing the lower case version of the method field, do the following:

    • Enter method-uppercase in the NAME field.

    • Choose method from the INPUT FIELD.

    • Choose TO_UPPER in the TRANSFORMATIONS field.

      Your new schema information panel should look like this:

      Figure 4.2. Populated New Schema Information Panel


  7. Click SAVE to save your changes.

  8. You can suppress fields from showing in the Index by clicking (suppress icon).

  9. Click SAVE to save the changed information.

    The Management module updates the Schema field with the number of changes applied to the sensor.