alert
Generates Logpresso Sonar events from input records. Use this command in real-time stream queries to convert detection rule results into Sonar events.
Command properties
| Item | Description |
|---|---|
| Command type | Processing query |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Input fields
| Field | Type | Required | Description |
|---|---|---|---|
_logger | integer | Required | Logger ID |
_rule | integer | Required | Detection rule ID |
_site | string | Optional | Site name |
_logger_name | string | Optional | Logger name |
_device_ip | ipaddr | Optional | Device IP address |
_device_name | string | Optional | Device name |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The alert command reads the _logger and _rule fields from each input record and generates a Sonar event. Both fields must exist as numeric types for an event to be created. If either field is missing or has the wrong type, the record passes through to the next command unchanged without generating an event.
All fields from the input record are included in the event data. The _site, _logger_name, _device_ip, and _device_name fields are set as supplementary event metadata. The event source is set to STREAM.
Regardless of whether an event is generated, the input record is always passed through to the next command as-is.
Examples
-
Generating events in a stream query
json "[{'_logger': 1, '_rule': 100, 'src_ip': '192.0.2.1', 'action': 'blocked'}]" | alertCreates a Sonar event from a record that contains the
_loggerand_rulefields. -
Missing required fields
json "[{'src_ip': '192.0.2.1', 'action': 'blocked'}]" | alertBecause the
_loggerand_rulefields are absent, no event is generated and the record passes through unchanged.