cfxdm - dm:enrich

Enrich the data using dictionaries

dm:enrich: This cfxdm tag allows the user to enrich an existing dataset by looking into additional datasets or dictionaries and brings in additional enriched information from them as per user's selection and requirement.

dm:enrich syntax:

dict (mandatory): Dictionary name (named dataset) which has additional enrichment data.
src_key_cols (mandatory): Named dataset's (source) key columns, comma separated.
dict_key_cols (mandatory): Dictionary name's (named dataset) key columns, comma separated.
enrich_cols (mandatory): Enriched column names from Dictionary (named dataset) selected under 'dict' option, comma separated.

The number of selected columns (count), for both src_key_cols & dict_key_cols options should be same.

i.e. if two columns are specified in src_key_cols, make sure two columns are specified in dict_key_cols too.

Example:

Below dataset has target IP Addresses with what processes are running on each target machine.

The below dataset has the same target IP Addresses with what Services are running on each target machine.

Each running service has a corresponding process name and by using dm:enrich tag, we can merge both datasets by enriching the second dataset (app-processes-list) by using the first dataset (app-services-list) and map the corresponding process name.

Common attributes between datasets are IPAddress & PID which will be the columns for both src_key_cols & dict_key_cols and Process_Name is selected as enrich_cols

dm:recall tag needs to be used in the below example to read the data from 'app-services-list' dataset

tag @dm:recall

data name = 'app-services-list' --> @dm:enrich dict = 'app-processes-list' & src_key_cols = 'IP_Address,PID' & dict_key_cols = 'IP_Address,PID' & enrich_cols = 'Process_Name'

Previouscfxdm - dm:groupby Nextcfxdm - dm:to_type

Last updated 4 years ago