Versions Compared

Old Version 11

changes.mady.by.user Alexander Zangerl

Saved on

compared with

New Version 12

changes.mady.by.user Alexander Zangerl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added note re ordering for copy_first/last

...

  1. If no copy_firstcopy_lastcopy_highest or copy_groupby directives are present, then a backwards-compatible directive 'copy_last => [ qr// ]' is added.
  2. copy_first is evaluated first, and specifies which event properties should be copied over from the earliest trigger event.
    Each listed property is copied over; if the directive contains a regular expression (e.g. qr/cust.*/, then all properties with names matching the regular expression are copied.
  3. copy_last is checked next, and properties listed here are copied over from the most recent trigger event.
    The property copying does overwrite all properties that were set earlier (by copy_first).
  4. copy_highest is checked next, and its properties are sourced from the trigger event with the highest priority.
    Again overwriting of properties may happen.
  5. copy_groupby controls whether any of the grouping property values should be saved in the new event.
    The format is different for this directive: It must be a list of property target names (or the word 'undef'), in the same order as the groupby directive.
    For each element  in the groupby list, the value of the grouping property is saved as the target name in the new event, if a target name is available in the copy_groupby list.
    If no groupby is given for this rule, then a copy_groupby directive has no effect.
  6. Now the enrich clause is checked, and each of  its property name - value pairs indicates which properties should be set to (or overwritten with) a particular static value.
  7. Now  the  nodestateful and element properties are automatically adjusted if required (see below for details).
  8. Finally, the event name is set to the rule name, certain undesirable properties are removed, an audit trail of triggering events is added (by adding the properties nodes and eventids), the event is marked as synthetic and is inserted into the database.

Please note that "earliest event" in step 1 refers to the event with the earliest event timestamp, which does not necessarily reflect its processing order. opEvents processes inputs mostly - but not always - in chronological order. If you have multiple 'earliest' events (all with the same timestamp) then their order is undefined and copy_first will pick a random event.

The same caveat applies in step 2 for the "most recent event".

Automatic Event Node for Synthetic Events

...