Events sometimes have extra data that is unnecessary and may overwhelm the
rule engine. Event filters allow us to remove that extra data so we can
focus on what matters to our rules. Event filters may also change the format
of the data so that the rule conditions can better match the data.
Events are defined as python code and distributed as collections. The default
eda collection. has the following filters
Include and exclude keys from the event object
This filter changes the dashes in all keys in the payload to be underscore.
Events filters can be chained one after the other, and the updated data is
sent from one filter to the next.
Events filters are defined in the rulebook after a source is defined.
When the rulebook starts the Source plugin it associates the correct filters
and transforms the data before putting it into the queue.
- name: azure_service_bus
exclude_keys: ['*_url', '_links', 'base', 'sender', 'owner', 'user']
In the above example the data is first passed thru the json_filter and then
thru the dashes_to_underscores filter.
Keys in the event payload can only contain letters, numbers and underscores.
The period (.) is used to access nested keys.
Since every event should record the origin of the event we have a filter
eda.builtin.insert_meta_info which will be added automatically by
ansible-rulebook to add the source name and type and received_at.
The received_at stores a date time in UTC ISO8601 format and includes
The uuid stores the unique id for the event.
The event payload would be modified to include the following data
The meta key is used to store metadata about the event and its needed to
correctly report about the events in the aap-server.