Release 2008.2
Creating Extension Documents
7
Multi-Event Modifier
(
event-match-multiple
)
The multi-event modifier (
event-match-multiple
) matches a range of event
types (and subsequently modifies) as specified by the
pattern-id
parameter
and the
capture-group-index
parameter.
Note: This match is not run against the payload, but is run against the results of
the EventName matcher previously parsed out of the payload.
This entity allows mutation of successful events by changing the device event
category, severity, or the method the event uses to send identity events. The
capture-group-index
must be an integer value (substitutions are not
supported) and pattern-ID must reference an existing pattern entity. All other
properties are identical to their counterparts in the single-event modifier
Creating Extension
Documents
This section provides you with information on creating extension documents
including:
•
Writing a Complete Extension Document
•
Uploading Extension Documents
•
Solving Specific Parsing Issues
send-identity
Specifies the sending of identity change information
from the event. Choose one of the following options:
•
UseDSMResults
– If the DSM returns an identity
event, the event is passed on. If the DSM does not
return an identity event, the DSM does not create or
modify the identity information.
This is the default value if no value is specified.
•
SendIfAbsent
– If the DSM creates identity
information, the identity event is passed through
unaffected. If no identity event is produced by the
DSM, but there is enough information in the event
to create an identity event, an event is generated
with all the relevant fields set.
•
OverrideAndAlwaysSend
– Ignores any identity
event returned by the DSM and creates a new
identity event, if there is enough information.
•
OverrideAndNeverSend
– Suppress any identity
information returned by the DSM.
Table 5
Single-Event Modifier Parameters (continued)
Parameter
Description
