The Event Property Tagger has been designed to add new properties to events based on their existing fields.

Configuration Overview

Follow the workflow steps below to configure the Event Property Tagger and its complement elements:
  1. Refer Features section below to gain an understanding of the module.

  2. Configure other processing elements preceding the Event Property Tagger in the flow. See corresponding module documentation.

  3. Configure the processing.xml file to declare an Event Property Tagger for the Event Processing Manager (declare additional instances if necessary).
  4. Configure the Event Property Tagger configuration file (configure additional instances of the file if using multiple Event Property Tagger's).

  5. Configure one or more input files, which help to determine, in conjunction with the Event Property Tagger's configuration file, what properties to add, change, or delete.

  6. Restart the Event Processing Manager.
    Note: You do not have to restart the Event Processing Manager again if you make changes to the configuration file, or the input files, as these will be refreshed according to the value for the refresh tag indicated in the configuration file.

Features

  • Matching on property ”keys”: Multiple properties can be used as a "key" to add new properties. For example, it is possible to add the admin property with the value Bob for all events that have the property devtype set to host AND parttype set to interface.

  • New properties based on same ”key”: A "key" can be used to add more than one new property.

  • Optional usage of default values: It is possible to define default values to use if there is no "key" that matches the properties of the event.

  • String matching, SQL patterns and regular expressions: It is possible to use SQL patterns or regular expressions instead of string comparison to define a "key". For example, you can use the SQL pattern w4n-% for the property device to matches all device values that begin with w4n.

  • Optional delete of chosen key properties after tagging: It is possible to delete chosen properties used in the "key" after the tagging is done only in the case that the incoming event was mutable.
    Note: Whether or not an event is mutable is determined by its source when it is first captured and processed. Events that are immutable cannot have their properties deleted or modified, nor can they have properties added to them. DCF can compensate for this behavior as explained in Mutable and Immutable Events section. For example, you may want to delete from the event a property that was used only to create a new property and that is not needed.
  • Refresh configuration while running: It is possible to reload the configuration file and its input file when they change. The module will verify for changes every configured amount of time.