SumoLogic
diff --git a/‎docs/cse/schema/create-structured-log-mapping.md‎
Lines changed: 17 additions & 18 deletions b/‎docs/cse/schema/create-structured-log-mapping.md‎
Lines changed: 17 additions & 18 deletions
diff --git a/‎static/img/cse/standard-mapping-multiple-fields.png‎
71.7 KB b/‎static/img/cse/standard-mapping-multiple-fields.png‎
71.7 KB
@@ -71,7 +71,7 @@ You can use a constant mapping to map a constant encountered in a message to a C
 
 Given the example constant mapping below, if the key value “true” is encountered in an incoming message, that value is mapped to the success schema attribute.
 
-<img src={useBaseUrl('img/cse/constant.png')} alt="Constant mapping" style={{border: '1px solid gray'}} width="700"/>
+<img src={useBaseUrl('img/cse/constant.png')} alt="Constant mapping" style={{border: '1px solid gray'}} width="800"/>
 
 To configure a constant mapping:
 
@@ -88,7 +88,7 @@ You can use an extracted mapping to map a field that was extracted from a log me
 
 Given the following example mapping, if the extracted field `serial` is encountered in a message, its value is mapped to the `resource` schema attribute.
 
-<img src={useBaseUrl('img/cse/extracted-mapping-example.png')} alt="Extracted mapping" style={{border: '1px solid gray'}} width="700"/>
+<img src={useBaseUrl('img/cse/extracted-mapping-example.png')} alt="Extracted mapping" style={{border: '1px solid gray'}} width="800"/>
 
 To configure a extracted mapping:
 
@@ -109,7 +109,7 @@ The example mapping below creates a string by combining the values of the `first
 
 the mapping combines the values of the ` firstName` and the `lastName` message fields, separated by a space. The resulting value, "John Doe", is mapped to the `user_username` attribute.  
 
-<img src={useBaseUrl('img/cse/format-mapping-example.png')} alt="Format mapping" style={{border: '1px solid gray'}} width="700"/>
+<img src={useBaseUrl('img/cse/format-mapping-example.png')} alt="Format mapping" style={{border: '1px solid gray'}} width="800"/>
 
 To define a format mapping:
 
@@ -127,13 +127,13 @@ You can use a joined mapping to join multiple values together and map them to a
 
 In the screenshot below, we're configuring a mapping that joins the value of the `actor.firstname` and `actor.lastname` fields and maps the result to the `user_username` attribute. For example, if the value of `actor.firstname` is "zaya", and the value of `actor.lastname` is "hedad", this mapping would result in "zayahedad" being written to the `user_username` attribute. 
 
-<img src={useBaseUrl('img/cse/joined-mapping.png')} alt="Joined mapping" style={{border: '1px solid gray'}} width="700" />
+<img src={useBaseUrl('img/cse/joined-mapping.png')} alt="Joined mapping" style={{border: '1px solid gray'}} width="800" />
 
 1. **Input Fields**. Enter the names of input fields. These are the fields from incoming messages whose values you want to join.
-1. **Delimiter.** Enter the character that delimits the segments of the input fields.
+1. **Input Field Delimiter.** Enter the character that delimits the segments of the input fields.
 1. **Show optional fields**. Expand this section if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
-   1. **Alternate input fields**. Enter one or more fields, separated by spaces. If any of the input fields you entered above do not exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
-   1. **Default value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
+   1. **Alternate Input Fields**. Enter one or more fields, separated by spaces. If any of the input fields you entered above do not exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
+   1. **Default Value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
 1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
 
 ### lookup mapping
@@ -146,7 +146,7 @@ In the screenshot below, we’ve defined a set of lookup key-value pairs that sp
 
 The configuration shown below defines what value to write to the logonType attribute of a Record when the EventData.LogonType message field value is “1”, “2”, “3”, or “4”, which will be “Interactive”, “”Network”, “Batch”, and “Service”, respectively.
 
-<img src={useBaseUrl('img/cse/lookup-mapping-filled-out.png')} alt="Lookout mapping" style={{border: '1px solid gray'}} width="700" />
+<img src={useBaseUrl('img/cse/lookup-mapping-filled-out.png')} alt="Lookout mapping" style={{border: '1px solid gray'}} width="800" />
 
 **To define a lookup mapping**
 
@@ -168,7 +168,7 @@ You can use a split mapping to split the character-delimited value of an input f
 
 In the screenshot below, we’re configuring a mapping that splits the value of the actor.email field when an ampersand (@) is encountered, and maps the first segment to the user_username attribute. For example, if the value of actor.email is “[email protected]”, this mapping would result in “ddonavan” being written to the `user_username` attribute.
 
-<img src={useBaseUrl('img/cse/split-mapping-filled-out.png')} alt="Split mapping" style={{border: '1px solid gray'}} width="700" />
+<img src={useBaseUrl('img/cse/split-mapping-filled-out.png')} alt="Split mapping" style={{border: '1px solid gray'}} width="800" />
 
 To define a split mapping:
 
@@ -191,34 +191,33 @@ An alternate input field won’t be mapped to the selected attribute if the spec
 
 In the screenshot below, we’re configuring a mapping that maps the value of the `EventData.LogonProcessName` message field to the `application` attribute. We defined one alternate input field, `AppId`, which will be mapped to the `application` attribute if the `EventData.LogonProcessName` field is not found in the message, or exists and is null. 
 
-<img src={useBaseUrl('img/cse/standard-mapping-single-input.png')} alt="Standard mapping" style={{border: '1px solid gray'}} width="700" />
+<img src={useBaseUrl('img/cse/standard-mapping-single-input.png')} alt="Standard mapping" style={{border: '1px solid gray'}} width="800" />
 
 To map a single input field:
 
 1. Select standard from the **Create a new … mapping field?** pull-down.
 1. **Input Field**. Enter the name of an input field. This is the field from incoming messages whose value you want to write to the Cloud SIEM attribute you’ll specify later in this procedure.
 1. **Show optional fields**. Expand this section if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
-
-   1. **Alternate input fields**. Enter one or more fields, separated by spaces. If the Input Field you entered above doesn’t exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
-   1. **Default value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
+    1. **Alternate Input Fields**. Enter one or more fields, separated by spaces. If the Input Field you entered above doesn’t exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
+    1. **Default Value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
 1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
 1. Click **Add Field** to save the field mapping.
 
 **Example standard mapping: multiple input fields**
 
-This example mapping combines the values of `fielda` and `fieldb`, separated by a period delimiter, and maps the result to the `user_username` attribute. 
+This example mapping combines the values of `firstname` and `lastname`, separated by a period delimiter, and maps the result to the `user_username` attribute. 
 
-We defined two alternative fields, `fieldc` and `fieldd`. If `fielda`and `fieldb` are not found in a message or are null, the values of `fieldc` and `fieldd` are used instead to form the value to be mapped to the `user_username` attribute.
+We defined two alternative fields, `first` and `last`. If `firstname`and `lastname` are not found in a message or are null, the values of `first` and `last` are used instead to form the value to be mapped to the `user_username` attribute.
 
-We also defined a default value: if `fieldc` and `fieldd` are not found in a message or are null, the default value “john.doe” is mapped to the `user_username` attribute.
+We also defined a default value: if `first` and `last` are not found in a message or are null, the default value “john.doe” is mapped to the `user_username` attribute.
 
-<img src={useBaseUrl('img/cse/standard-mapping-multiple-fields.png')} alt="Standard mapping with multiple fields" style={{border: '1px solid gray'}} width="700" />
+<img src={useBaseUrl('img/cse/standard-mapping-multiple-fields.png')} alt="Standard mapping with multiple fields" style={{border: '1px solid gray'}} width="800" />
 
 To map multiple input fields:
 
 1. Select **standard** from the **Create a new … mapping field?** pull-down.
 1. **Add more fields**. Expand this section.
-1. **Input Fields**. Enter the names of the input fields to be combined, separated by spaces. 
+1. **Input Fields**. Enter the names of the input fields to be combined, separated by spaces.
 1. **Input Field Delimiter**. Enter the character to use as the delimiter between the input field values.
 1. **Show optional fields**. Click this if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
    1. **Alternate input fields**. Enter one or more fields, separated by spaces. If any of the Input Fields you entered above don’t exist in a message, or are null, the values of the alternative fields you enter will be combined and mapped to the Cloud SIEM attribute you’ll specify later in this procedure.