...
Port | Description |
|---|---|
out | Outputs input events modified with new/overwritten/removed fields. New/Overwritten fields are those defined by expressions in the 'Fields to add' tab. Removed fields are those defined in the 'Fields to remove' tab. |
error | Outputs all events that produced an error during evaluation. These events have two additional fields, error, and exception, that describe the error. |
Example
In this example, we want to send events related to a single user in our domain from the siem.logtrust.web.activity table to a new my.app table.
To do it, we will use a Devo source unit to get events from the siem.logtrust.web.activity table. Then, we will link it to a Filter unit that will only send events containing the email of the required user. Finally, we will link its out output port to a Devo sink unit to send the filtered events to a my.app table.
...
In the Filter unit settings, we add the following predicate to remove null values in the username column and filter only events related to a specific user mail:
| Code Block |
|---|
username != null && username.equals("user_mail") |
...
📁 Download this example
You can try this flow by downloading this JSON and uploading it to your domain using the Import option:
| View file | ||
|---|---|---|
|