Skip to main content

How to transform events with pipelines

In this tutorial, you learn how to transform events coming into Imply Lumi using a pipeline. A pipeline is an ordered list of processors that operate on events that meet specific search criteria. A processor performs a distinct task based on its type and processing rules.

The steps show you how to:

  • Create a pipeline and add processors to the pipeline.
  • Configure processors to extract attribute values, map attributes, and remove attributes.
  • Send events to Lumi with and without using a pipeline.
  • Compare user attributes with and without pipeline processing.

The following diagram summarizes the end-to-end process of processing events in Lumi. Click any box in the diagram to jump to that step.

Prerequisites

To complete the tutorial, you need the following:

  • Access to Lumi with the Data manager role or higher.
    For information on roles and permissions, see Manage roles.
  • An application that can send HTTP requests, such as a Unix terminal or Postman.
    This tutorial shows example requests using the command-line tool curl.

1. Send an event

In this section, you send an event to the HTTP event collector.

  1. In the Lumi navigation menu, click Integrations > Splunk® HEC.

  2. In the Select or create an IAM key pane, click Select or create key > Create key.

  3. For the IAM key, enter the name tutorial-pipelines. Leave all other fields empty.

  4. Click Create.

  5. In the Configure event forwarding pane, select the curl tab. curl pane for HEC

  6. Copy and paste the command into a text editor.

  7. Replace the example JSON data with the following object:

    {"event": "Service token grant failed for realm [demo], status [401], response [Invalid API key]", "source": "curl", "fields": {"userid": "wilma", "status": 401}}

    Your command should look similar to the following:

    curl -X POST \
         -H "Content-Type: application/json" \
         -H "Authorization: Splunk IAM_KEY_TOKEN" \
         -d '{ "event": "Service token grant failed for realm [demo], status [401], response [Invalid API key]", "source": "curl", "fields": {"userid": "wilma", "status": 401}}' \
     LUMI_ENDPOINT

  8. Copy and paste the command into a terminal and submit the request.

  9. In the Preview incoming data pane, confirm that you see the new event.

2. Create a pipeline

In this section, you create a pipeline that will process all events that meet the specified condition.

  1. In the Lumi navigation menu, click Pipelines. Pipelines page

  2. Click + Create pipeline.

  3. Enter pipeline details:

    • Position: 1
    • Name: Authentication events
    • Expression: source=curl AND status=4*

    Create pipeline

  4. Click Create.

3. Add processors

In this section, you add processors, which are components of a pipeline that perform individual processing tasks.

Regex parser

First, add a regex parser to extract the name of the realm from the event message.

  1. On the Pipelines page, click the ellipsis next to the pipeline. Enable pipeline

  2. Click Create processor.

  3. Enter processor details:

    • Position: 1
    • Type: Regex parser
    • Name: Extract realm
    • Source attribute: Select Extract from log body
    • Regular expression: realm\s\[(\w+)\]
      This regular expression looks for the format realm [NAME] and extracts the value NAME.
    • Output attributes: realm
      The processor stores the value in a user attribute named realm.

    Create regex parser

  4. Scroll down to try out the regular expression. In Sample, enter the following event:

    Service token grant failed for realm [demo], status [401], response [Invalid API key]

  5. The Expected output now shows the result demo. This value populates the realm user attribute when the event message is as listed.

Attribute mapper

Next, add an attribute mapper to rename status to http_status.

  1. On the Pipelines page, click the ellipsis next to the pipeline.
  2. Select Create processor.
  3. Enter processor details:
    • Position: 2
    • Type: Attribute mapper
    • Name: Rename status
    • Source attribute: status
    • Output attribute: http_status
  4. Leave the override toggle unselected.
  5. Click Create.

Attribute remover

Finally, add an attribute remover to remove userid and status. In this scenario, you remove userid to redact personal information associated with the event, and you remove status since you now store its information in http_status.

  1. On the Pipelines page, click the ellipsis next to the pipeline.
  2. Select Create processor.
  3. Enter processor details:
    • Position: 3
    • Type: Attribute remover
    • Name: Redact and pare back
    • Attributes to remove: userid, status
  4. Click Create.

4. Observe the difference

In this section, you send another event to the HTTP event collector and compare the results.

  1. Follow the steps in Send an event to send a new event using the tutorial-pipelines IAM key.
  2. In the Preview incoming data pane, confirm that you see the new event. Preview incoming data
  3. Click Explore events.
  4. Adjust the time filter if needed to display both events.
  5. Notice the difference between the events.
    The processed event includes user attributes for realm and http_status. Event with processing The unprocessed event doesn't have realm but includes userid and status. Event without processing

Explore further

To explore more with pipelines, try the following activities:

  • Send an event that already includes the http_status attribute. In the attribute mapper, view how the result changes when you toggle the override setting on or off.
  • Disable a processor in the pipeline and compare the results.
  • Create a second pipeline with the same conditions and note the order of operations.

Learn more

See the following topics for more information: