Skip to main content

Anthropic

Enrichment AI Powered

Synopsis

Enriches events by sending field content to Anthropic's Claude API to analyze the content and store the response.

Schema

anthropic:
  - field: <ident>
  - api_key: <string>
  - target_field: <ident>
  - developer_msg: <string>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - model: <string>
  - temperature: <number>
  - max_tokens: <number>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

FieldRequiredDefaultDescription
fieldYmessageField containing content to analyze
api_keyY-Anthropic API key for authentication
target_fieldNfieldField to store the API response
developer_msgNSystem message for contextDefault system message for one-word responses unless explanation requested
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseContinue if API call fails
ignore_missingNfalseContinue if source field doesn't exist
modelNclaude-3-opus-20240229Claude model to use
temperatureN0.7Response randomness (0-1)
max_tokensN1000Maximum response length
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

The processor is useful for automated analysis, context enrichment, and intelligent processing of log data. It supports system context messages for analysis, temperature control for response variation, and token limits for response length management.

The latest Claude models are available. Supported models: claude-3-opus-20240229, claude-3-sonnet-20240229, claude-3-haiku-20240307.

warning

Invalid model names will cause processing errors.

API responses are cached to improve performance.

caution

API calls add latency to event processing.

Developer messages help guide Claude's analysis, and lower temperature values produce more focused responses. Also, consider rate limits and costs for high-volume processing. Token limits control response length and costs, and long input texts may hit token limits.

warning

API keys must be securely stored and accessed.

Examples

Basic

Analyzing a Cisco device log...

{
  "message": "Interface GigabitEthernet0/1 is down"
}
anthropic:
  - field: message
  - target_field: analysis
  - api_key: "${ANTHROPIC_SECRET_KEY}"
  - developer_msg: "You are an expert in Cisco networking. Analyze this log message."

adds information to the event:

{
  "message": "Interface GigabitEthernet0/1 is down",
  "analysis": "Critical network issue detected: GigabitEthernet0/1 interface is non-operational. Possible causes include physical link failure, administrative shutdown, or interface configuration issues. Recommended actions: Check cable connectivity, interface status, and configuration settings."
}

Precision

Configuring analysis parameters...

{
  "error_msg": "Authentication failed for user admin"
}
anthropic:
  - field: error_msg
  - target_field: security_analysis
  - api_key: "${ANTHROPIC_SECRET_KEY}"
  - model: "claude-3-sonnet-20240229"
  - temperature: 0.2
  - max_tokens: 100
  - developer_msg: "You are a security analyst. Provide a brief analysis of this error."

produces more focused security insights:

{
  "error_msg": "Authentication failed for user admin",
  "security_analysis": "Security alert: Failed login attempt detected for admin account. This requires immediate attention as it involves a privileged account. Recommend reviewing authentication logs, checking for brute force patterns, and ensuring proper access controls are in place."
}

Conditionals

Analyzing only critical errors...

{
  "message": "Critical: Database corruption detected",
  "level": "critical"
}
anthropic:
  - if: "ctx.level == 'critical'"
  - field: message
  - target_field: ai_insight
  - api_key: "${ANTHROPIC_SECRET_KEY}"

is preferable due to level:

{
  "message": "Critical: Database corruption detected",
  "level": "critical",
  "ai_insight": "Critical database integrity issue detected. This indicates potential data corruption that could lead to data loss or service disruption. Immediate actions required: Initiate database recovery procedures, verify backup integrity, and prepare for possible failover."
}

Error Handling

Handling API failures gracefully...

{
  "message": "System alert"
}
anthropic:
  - field: message
  - api_key: "invalid-key"
  - ignore_failure: true
  - on_failure:
      - set:
          field: analysis_status
          value: "failed"

continues execution:

{
  "message": "System alert",
  "analysis_status": "failed"
}