Message Builder

Most recent version: v1.0.0

See the changelog of this Action type here.

Overview

The Message Builder Action allows users to define new messages by combining different input fields.

In order to configure this Action, you must first link it to a Listener. Go to Building a Pipeline to learn how to link.

AI Action Assistant

This Action has an AI-powered chat feature that can help you configure its parameters. Read more about it in this article.

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

Find Message Builder in the Actions tab (under the Formatting group) and drag it onto the canvas. Link it to the required Listener and Data sink.

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Parameter

Description

Fields*

This is where you specify the fields you wish to include in your message, color coded by type.

Fields beginning with _ are internal fields.

Destination Field Name*

Give your message a name to identify it by in the end destination.

Output format*

Choose how to send your message from the following formats: CSV, JSON, Key Value, Free Mode. See the tabs below for the settings specific to each one.

Save

Click save when you have composed your message.

To include a field in your message, drag it from the Fields area and drop it into the Message area.

You can add a Field Delimiter to separate the fields in your message string. Choose between : , , , | , ; .

This will generate an output CSV.

Create a key-value file.

To include a field in your message, drag it from the Fields area and drop it into the Message area.

This will automatically add the field value separated by : followed by the source action and field. A :separates each key-value pair.

To change the Value and Pair separators, use the drop-down menus and choose between : , ; , and |

Click New Register to manually type the values and fields.

To include a field in your message, drag it from the Fields area and drop it into the Message area.

The expressions should be strings that, optionally, may contain field names. For example:

this is an example with the value: ${myField}

where ${myField} will be replaced with the actual value in the event.

The action provides the following features depending on the argument delimiter behavior and the given delimiter and replacement values:

REPLACE: replaces delimiter with replacement on each event field.
DELETE: deletes delimiter on each event field.
QUOTE: adds double quotes surrounding an event field if it contains delimiter.
ESCAPE: adds a backslash (\) before each delimiter on each event field.

To select more than one at once, click a field in the Fields area and select the checkboxes next to the name, then select Add fields.

Example

Let's say you have received raw data in JSON format and wish to extract the fields and format them as a CSV.

Raw data

[
  {
    "username": "user_1",
    "method": "POST",
    "endpoint": "breach log",
    "ip": "10.XXX.XX.XX",
    "description": "[Role] User performed an action on breach log",
    "viewport": [1920, 955],
    "usage": true
  },
  {
    "username": "user_1",
    "method": "POST",
    "endpoint": "event log",
    "ip": "10.XXX.XX.XX",
    "description": "[Role] User performed an action on event log from breach log",
    "viewport": [1920, 955],
    "usage": true
  },
  {
    "username": "service_user",
    "method": "POST",
    "endpoint": "/admin/age",
    "ip": "127.0.0.1",
    "status": 400
  },
  {
    "username": "user_2",
    "method": "POST",
    "endpoint": "/sso/login",
    "ip": "10.XXX.XX.XX",
    "status": 302
  }
]

Parse the JSON

Add a Parser to the canvas and extract the fields using the automatic parsing.

You have extracted the endpoint, ip, method, status and username into separate fields.

Build the message

Now use the Message Builder to create a CSV containing these fields as one message.

Drag the following fields to the Message area:

method
description
object
endpoint
ip
status
username
port

Fields delimiter: ,

if delimiter matches: Put "" in quotes.

PreviousFormatting NextSchemas

Last updated 29 days ago

Was this helpful?