Processors
Processors in Imply Lumi perform the work in pipelines to transform events. A processor can perform actions such as transforming and mapping attributes or deleting attributes. The input for a processor may be the event message, an event attribute, or a static value. The processor output is a user attribute on the event.
To learn about creating pipelines, see Transform events with pipelines.
This topic describes the types of processors available in Imply Lumi.
Processor types
The following table summarizes the processor types and their inputs and outputs:
| Processor | Input | Configuration | Result |
|---|---|---|---|
| Attribute mapper | Incoming event attribute or message | Boolean option to override the output attribute if it already exists | New user attribute or updated user attribute |
| Attribute remover | Not applicable | Comma-separated list of event attribute names | Absence of the specified attributes |
| Regular expression | Incoming event attribute or message | Regular expression with one or more capturing groups | One or more user attributes, where the number of output attributes matches the number of capturing groups |
| Value mapper | Static value | Boolean option to override the output attribute if it already exists | New user attribute or updated user attribute |
Attribute mapper
The attribute mapper maps the value of one attribute to the value of another attribute. The processor creates the attribute if it doesn't already exist.
If the output attribute already exists, you can choose to override its value or leave it unchanged. To update an existing attribute, select the toggle to Override value when output attribute exists. Otherwise, the existing attribute is unchanged and no value is mapped.
An exception to the override function is when the input attribute value is null, empty, or only contains whitespace characters. The processor doesn't override an output attribute with any of these falsy values.
Example
- Input
- Event attribute:
status: 401
- Configuration
- Input attribute:
status - Output attribute:
http_status
- Output
- User attribute:
http_status: 401
Attribute remover
The attribute remover removes one or more attributes.
Example
- Input
- Event attribute:
status: 401
- Configuration
- Attributes to remove:
status
- Output
- User attribute: none
Regular expression
The regular expression (regex) processor parses an input attribute using a regular expression. The number of capturing groups in the regular expression determines the number of output attributes. The processor overrides any existing output attributes.
To refer to the event message, use _log.
Example
- Input
- Event message:
Service token grant failed for realm [demo], status [401], response [...]
- Configuration
- Input attribute:
_log - Regular expression:
realm\s[(\w+)] - Output attributes:
realm
- Output
- Event message:
Service token grant failed for realm [demo], status [401], response [...] - User attribute:
realm: demo
Value mapper
The value mapper maps a static value to an attribute. The processor creates the attribute if it doesn't already exist.
If the output attribute already exists, you can choose to override its value or leave it unchanged. To update an existing attribute, select the toggle to Override value when output attribute exists. Otherwise, the existing attribute is unchanged and no value is mapped.
The value mapper can map falsy values to output attributes, such as to redact a given attribute.
Example
- Input
- Event attribute:
status: 401
- Configuration
- Static value:
resolved
- Output
- User attribute:
status: resolved
Learn more
See the following topics for more information:
- Transform events with pipelines for an overview of pipelines and processors.
- Learn to transform events with pipelines for a tutorial on pipelines.