Alert Enrichment: Extraction

Keep’s Alert Extraction enrichment feature enables dynamic extraction of data from incoming alerts using regular expressions. This powerful tool allows users to define extraction rules that identify and extract data based on patterns, enriching alerts with additional structured data derived directly from alert content.

Introduction

Handling a variety of alert formats and extracting relevant information can be challenging. Keep’s Alert Extraction feature simplifies this process by allowing users to define regex-based rules that automatically extract key pieces of information from alerts. This capability is crucial for standardizing alert data and enhancing alert context, which facilitates more effective monitoring and response strategies.

How It Works

  1. Rule Definition: Users create extraction rules specifying the regex patterns to apply to certain alert attributes.
  2. Attribute Specification: Each rule defines which attribute of the alert should be examined by the regex.
  3. Data Extraction: When an alert is received, the system applies the regex to the specified attribute. If the pattern matches, named groups within the regex define new attributes to be extracted and added to the alert.
  4. First Match Enforcement: The extraction process is designed to stop after the first successful match. Once a rule successfully applies and enriches the alert, no further rules are processed. This ensures efficiency and prevents overlapping or redundant data extraction.
  5. Alert Enrichment: Extracted values are added to the alert, enhancing its data with additional attributes for improved analysis.

Practical Example

Suppose you receive alerts with a message attribute formatted as “Error 404: Not Found - [UserID: 12345]“. You can define an extraction rule with a regex such as Error (?P<error_code>\d+): (?P<error_message>.+) - \[UserID: (?P<user_id>\d+)\] to extract error_code, error_message, and user_id as separate attributes in the alert.

Core Concepts

  • Regex (Regular Expression): A powerful pattern-matching syntax used to identify specific patterns within text. In the context of extraction rules, regex is used to define how data should be extracted from alert attributes. It is crucial that regex patterns adhere to Python’s regex syntax, especially concerning group matching using named groups.
  • Attribute: The part of the alert data (e.g., message, description) that the regex is applied to.
  • Named Groups: Part of the regex pattern that specifies placeholders for extracting specific data points into new alert attributes.

Creating an Extraction Rule

To create an alert extraction rule:

  1. Select the Attribute: Choose which attribute of the alert should be examined by the regex.
  2. Define the Regex: Write a regex pattern with named groups that specify what information to extract. Ensure the regex is valid according to Python’s regex standards, particularly for group matching.
  3. Configure Conditions: Optionally, specify conditions under which this rule should apply, using CEL (Common Expression Language) for complex logic.

Best Practices

  • Test Regex Patterns: Before deploying a new extraction rule, thoroughly test the regex pattern to ensure it correctly matches and extracts data according to Python’s regex standards.
  • Monitor Extraction Performance: Keep track of how extraction rules are performing and whether they are enriching alerts as expected. Adjust patterns as necessary based on incoming alert data.
  • Use Specific Conditions: When applicable, define conditions to limit when extraction rules apply, reducing unnecessary processing and focusing on relevant alerts.