ameenrich Command
Description
The ameenrich command enhances indexed events with data from Alert Manager Enterprise (AME) KV Store collections, providing
tenant-specific information based on the executing user’s permissions.
For example, you can query tenant audit logs (stored in the tenant index) where each audit event includes an event_key
field (e.g., for a status change). While the indexed event lacks metadata like the triggering search name, ameenrich adds this context.
Syntax
Required syntax is in bold.
ameenrich [tenants=<tenant_list> | <wc>] [status=<status_list> | <wc>] [status_types=<status_types_list> | <wc>] [assignees=<assignee_list> | <wc>] [tags=<tags-list> | <wc>] [tags_mode=<AND | OR>] [saved_searches=<JSON formatted <saved_searches_list> | <wc>] [fields=<fields_list> | <wc>] [sla_info=<bool>] [has_slas=<bool>] [has_sla_violations=<bool>] [has_sla_violation_within=<int>]
Optional Arguments
tenants Syntax: tenants=<tenant_list> | <wc> Description: A comma-separated and quoted list of tenants or a wildcard for all tenants. Example: tenants="default,sec,ops" Default: tenants=*
status
Syntax: status=<status_list> | <wc>
Description: A comma-separated and quoted list of statuses or a wildcard
for all statuses. Note that all_open and all_closed can be also used
Example: status="new,in_progress,closed"
Default: status=*
status_types
Syntax: status_types_list=<status_types_list>
Description: A comma-separated and quoted list of statuses for the status types new, in_progress and done
Example: status_type="new,in_progress"
Default: status_types=*
assignees Syntax: assignees=<assignee_list> | <wc> Description: A comma-separated and quoted list of assignees or a wildcard for all assignees. Example: assignees="user1,user2,user3" Default: assignees=*
tags Syntax: tags=<tag_list> | <wc> Description: A comma-separated and quoted list of tags or a wildcard for all tags. Example: tags="tag1,tag2,tag3" Default: tags=*
tag_mode Syntax: tag_mode=<AND> | <OR> Description: The tag search mode. Example: tag_mode="AND" Default: tag_mode="OR"
saved_searches Syntax: saved_searches=<saved_searches_list> | <wc> Description: A JSON formatted list of saved_search names or a wildcard for all tags. Example: saved_searches="["saved_search1","saved_search2"]" Default: saved_searches="*"
fields Syntax: fields=<fields_list> | <wc> Description: A comma-separated and quoted list of fields or a wildcard for all tags. Example: fields="status,count" Default: fields=*
sla_info Syntax: sla_info=<bool> Description: Boolean value to indicate whether to include SLA information in the results. Example: sla_info="true" Default: sla_info="false"
has_slas Syntax: has_slas=<bool> Description: Boolean value to indicate whether to include events that have SLAs. Example: has_slas="true" Default: None
has_sla_violations Syntax: has_sla_violations=<bool> Description: boolean value to indicate whether to include events that have SLA violations. Example: has_sla_violations="true" Default: None
has_sla_violations_within Syntax: has_sla_violations_within=<bool> Description: Integer value to indicate the number of seconds remaning until an SLA is violated. Example: has_sla_violations_within="300" Default: None
Examples
-
Enrich events with data from Alert Manager Enterprise
| ameenrich -
Enrich events with data from Alert Manager Enterprise, but only for the fields named status and count
| ameenrich fields="status,count" -
Enrich events with data from Alert Manager Enterprise, for the fields status, assignee and tenant, but only if the assignee is analyst_03 or engineer_04. Then search for events that were enriched.
index=ame_default sourcetype="ame-index-entry"
| ameenrich assignees="analyst_03,engineer_04" fields="status,assignee,tenant"
| search filter_matched=1 -
Search for a single event key and enrich the data
| eval event_key=653be0730281cce7620c5fd0 | ameenrich -
Search for a single event key and enrich the data with SLA information.
| eval event_key=653be0730281cce7620c5fd0 | ameenrich sla_info="true"