Administration GuideMapping and ParsingHow to Create a Data Mapping File › Set Conditional Mappings

Previous Topic: Set Concat Function Mapping

Next Topic: Set Block Mappings

Set Conditional Mappings

Conditional mappings link a CEG field to different possible results, allowing you to set default and conditional values for a given field. For example, you could use conditional mappings to map success or failure values, or to identify event sources by name or group.

Conditional mappings assign a default value and one or more conditional values to a given CEG field. You can set qualifications for each conditional value. If an event matches those qualifications, the appropriate conditional value is assigned to the chosen field. Otherwise the refined event field displays the default value.

If there are duplicate conditional mappings, the DM file uses the first one it finds, and considers no further mappings. To improve performance, place more common conditions first.

Note: Stand-alone conditional mapping is slower than block mapping. We recommend that you used it only when necessary.

To set conditional mappings

  1. Open the mapping file wizard, enter a name and select a Logname for the mapping file, and advance to the Conditional Mappings step.

    The Conditional Mappings screen appears, displaying any current default mappings. The Field column shows the CEG or parsed field name, and the Value column shows the current default value.

    Note: Select a parsing file in the Provide File Details step for parsed field values to appear.

  2. Click Add Conditional Mapping in the Conditional Field Mappings list, and select the new row.

    The Mapping Details pane appears, displaying the Field drop-down list and Value shuttle control.

  3. Select the CEG field you want to map to from the Field menu. When you begin typing, the auto-complete feature narrows the list of available CEG fields.
  4. Enter the default mapping you want in the Add Value entry field, and click Add Value to display it in the Selected Fields pane. You can remove unwanted values by moving them to the Available Fields pane.
  5. Click Add Conditional Value in the Conditional Values list.

    A new value appears.

  6. Select the New Value text to highlight it and change the name.

    The new name appears in the list, and the filters dialog appears in the details pane.

  7. Construct a filter to define the conditional value. For example, you could build one or more filters to link the event_source_address field to IP addresses, identifying event sources with a geographical or other business group.
  8. When you have added all the conditional mappings you want, click the appropriate arrow to advance to the wizard step you want to complete next, or click Save and Close.

    If you click Save and Close, the new file appears in the Mapping File User folder, otherwise the step you select appears.

More information:

Using Advanced Filters