by
Gravwell
|
Sometimes data has gaps that make processing difficult, such as key/value data that omits fields when there is no data to populate in that field. Enrich allows you to fill in any missing fields that you expected to have extracted with a constant value. This query shows how the enrich module can be used to turn machine data into something humans can use.
In this example, we extract "alarm" and "message" values from a dataset. When alarm==false, the message field is missing. We simply use Enrich to fill in any missing "message" fields with "no alarm".
Before:
After:
tag=alarms kv alarm message
| enrich message "no alarm"
| table