Using Extraprocessors in FlexConnectors
The information below is intended to supplement the Extra Processors section of the FlexConnector Developer’s Guide.
Below are a list of parameters that can be used in the extraprocessor section of a FlexConnector configuration file.
| conditiondelimiter | Specifies the delimiter character separating the values listed in conditionvalues. If this is not present, the default delimiter is a comma (,). conditiondelimiter is valid only when conditiontype has the value of equals. |
| conditionvalues | List of values that will cause this event to be processed, normally separated by comma characters. If the conditionvalues property is completely omitted, then only events where the field specified in conditionfield is null will be processed. |
| conditionfield | Specifies the condition field. |
| conditiontype | Specifies the condition type of the extraprocessor: regex, or equals, eg, conditiontype=equals, or conditiontype=regex When conditiontype=equals, the SmartConnector tests one field in the incoming event to see if it has one of the specified values, processing the event only if it does. It takes additional information from other properties to determine how to process the event. When conditiontype=regex, all regular expressions supported by the java.util.regex.Pattern class are supported in the conditionvalues property. If the conditionfield field is not a string, it is converted into a string before the pattern is applied (If it is null, it will be treated as a zero-length string). In any case, the specified pattern must match the field as a whole, not merely be found in it. |
Example:
extraprocessor.count=3
extraprocessor[0].type=regex
extraprocessor[0].filename=dir/filename
extraprocessor[0].field=event.name
extraprocessor[1].type=map
extraprocessor[1].filename=dir/filename.csv
extraprocessor[1].charencoding=US-ASCII
extraprocessor[1].conditionfield=event.deviceEventClassId
extraprocessor[1].conditiontype=equals
extraprocessor[1].conditionvalues=30,31
extraprocessor[2].type=map
extraprocessor[2].filename=dir/filename2.csv
extraprocessor[2].charencoding=US-ASCII
extraprocessor[2].conditionfield=event.name
extraprocessor[2].conditiontype=regex
extraprocessor[2].conditionvalues=Security.*
In this example, the second extra processor (extraprocessor[1]) is executed only if the Device Event Class ID field is 30 or 31, and the third extraprocessor (extraprocessor[2]) is only executed if the Name field starts with ”Security”.
If both of those conditions were true, then all three extra processors would be executed, in the order shown.
If neither were true, then only the first extra processor (type=regex) would be executed.
English 
Swedish