Map Fields to HBase Enrichments
Each of the parser outputs is added or modified in the Schema field.
Now that you have data flowing into the HBase table, you need to ensure that the enrichment topology can be used to enrich the data flowing past. You can refine the parser output using transformation, enrichment, and threat intelligence.
- Display the Management module UI.
- Select the new sensor from the list of sensors on the main window.
Click the pencil icon in the list of tool icons
for the new sensor.
The Management Module displays the sensor panel for the new sensor.
In the Schema box, click (expand window button).
The Sample field, at the top of the panel, displays a parsed version of a sample message from the sensor. The Management module will test your transformations against these parsed messages.The Management module displays a second panel and populates the panel with message, field, and value information.You can use the right and left arrow buttons in the Sample field to view the parsed version of each sample message available from the sensor.
You can apply transformations to an existing field or create a new field. Click
the (edit icon) next to a field to apply transformations to
that field. Or click (plus sign) at the bottom of the
Schema panel to create new fields.
Typically users store transformations in a new field rather than overriding existing fields.For both options, the Management module expands the panel with a dialog box containing fields in which you can enter field information.
In the dialog box, enter the name of the new field in the
NAME field, choose an input field from the INPUT
FIELD box, and choose your transformation from the
TRANSFORMATIONS field or enrichment from the
For example, to create a new field showing the lower case version of the method field, do the following:
- Enter method-uppercase in the NAME field.
- Choose method from the INPUT FIELD.
Choose TO_UPPER in the
Your new schema information panel should look like this:
- Click SAVE to save your changes.
- You can suppress fields from showing in the Index by clicking (suppress icon).
Click SAVE to save the changed information.
The Management module updates the Schema field with the number of changes applied to the sensor.