3 Replies Latest reply on Jan 19, 2017 3:18 AM by acommons

    Data Enrichment

      Greetings folks!


      We are looking to leverage the data enrichment feature within ESM to aid in detecting 'special' events, but first a couple questions.


      Is there a limitation to the number of entries a data enrichment file can contain?


      Does the data enrichment support regex and/or CIDR notation?


      Thanks in advance,



        • 1. Re: Data Enrichment

          There is no limit to the number of entries a data enrichment file can contain. Depending on your use case, the file either needs to contain a single list of values, or in the format of lookup=enrichment. The lookup value would be the value contained in the event, such as the Source IP. The enrichment value is the value you want to add to a field in the event, such as a data center location. Your file would need to look like this


 Center 1

 Center 2


          For IP based enrichment, CIDR notation is supported, but regular expressions are not supported unless you are using regular expression based enrichment. Regular expression based enrichment allows you to apply a regex to an event field and enrich the event with a staitc value or the returned match from the regex.

          • 2. Re: Data Enrichment

            I have a file in the format which is an IP lookup -> string literal enrichment definition:





            But when I try to run the data enrichment I get an error as follows:

            IT Pool_2013-10-13_02-15-23.png


            Any help on this?

            • 3. Re: Data Enrichment



              I assume that CIDR notation is supported when the enrichment lookup type is "32 bit IP Range" and the input file format is then:


              a.b.c.d/nn=string value


              This is on 9.6MR7.




              1 of 1 people found this helpful