Skip to content

Commit d14b72e

Browse files
chetanchoudhary-sumochetanchoudhary-sumo
authored
AWS ALB and NLB FER Update (#5929)
* updating FER for Network Load Balancer * Few more updates to FERs of ALB and NLB * fixing alb fer
1 parent db27f3d commit d14b72e

File tree

2 files changed

+18
-14
lines changed

2 files changed

+18
-14
lines changed

docs/integrations/amazon-aws/application-load-balancer.md

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -140,14 +140,16 @@ Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.ama
140140
```
141141

142142
```sql title="Parse Expression"
143-
json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, api_version nodrop
144-
|"" as namespace
143+
json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop
145144
| where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01"
146-
| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, loadbalancer, f1 nodrop
147-
| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype matches "net", "aws/networkelb", namespace)) as namespace
148-
| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace
149-
| where namespace="aws/applicationelb" or isEmpty(namespace)
150-
| toLowerCase(loadbalancer) as loadbalancer
145+
| "" as namespace
146+
| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, loadbalancer1, f1 nodrop
147+
| parse field=listenerarn ":listener/*/*/*/*" as balancertype2, loadbalancer2, f1, f2 nodrop
148+
| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace
149+
| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace
150+
| where namespace="aws/applicationelb" or isEmpty(namespace)
151+
| if (!isEmpty(loadbalancer), loadbalancer, if (!isEmpty(loadbalancer1), loadbalancer1, loadbalancer2)) as loadbalancer
152+
| toLowerCase(loadbalancer) as loadbalancer
151153
| fields region, namespace, loadbalancer, accountid
152154
```
153155

docs/integrations/amazon-aws/network-load-balancer.md

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -68,14 +68,16 @@ Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.ama
6868
```
6969

7070
```sql title="Parse Expression"
71-
json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, api_version nodrop
72-
|"" as namespace
71+
json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop
7372
| where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01"
74-
| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, networkloadbalancer, f1 nodrop
75-
| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype matches "net", "aws/networkelb", namespace)) as namespace
76-
| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace
77-
| where namespace="aws/networkelb" or isEmpty(namespace)
78-
| toLowerCase(networkloadbalancer) as networkloadbalancer
73+
| "" as namespace
74+
| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, networkloadbalancer1, f1 nodrop
75+
| parse field=listenerarn ":listener/*/*/*/*" as balancertype2, networkloadbalancer2, f1, f2 nodrop
76+
| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace
77+
| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace
78+
| where namespace="aws/networkelb" or isEmpty(namespace)
79+
| if (!isEmpty(networkloadbalancer), networkloadbalancer, if (!isEmpty(networkloadbalancer1), networkloadbalancer1, networkloadbalancer2)) as networkloadbalancer
80+
| toLowerCase(networkloadbalancer) as networkloadbalancer
7981
| fields region, namespace, networkloadbalancer, accountid
8082
```
8183

0 commit comments

Comments
 (0)