Azure OpenAI

Enrichment AI Powered

Synopsis

Enriches events by sending field content to Azure OpenAI API for analysis and storing the response.

Schema

azureai:
  - field: <ident>
  - api_key: <string>
  - resource_name: <string>
  - deployment_name: <string>
  - target_field: <ident>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - temperature: <number>
  - max_tokens: <number>
  - api_version: <string>
  - developer_msg: <string>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

Field	Required	Default	Description
`field`	Y	`message`	Field containing content to analyze
`api_key`	Y	-	Azure OpenAI API key
`resource_name`	Y	-	Azure OpenAI resource name
`deployment_name`	Y	-	Azure model deployment name
`target_field`	N	`field`	Field to store the API response
`description`	N	-	Explanatory note
`if`	N	-	Condition to run
`ignore_failure`	N	`false`	Continue if API call fails
`ignore_missing`	N	`false`	Continue if source field doesn't exist
`temperature`	N	`0.7`	Response randomness (0-1)
`max_tokens`	N	`1000`	Maximum response length
`api_version`	N	`2024-02-15-preview`	Azure OpenAI API version
`developer_msg`	N	Default system message	System message for context
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`tag`	N	-	Identifier

Details

The processor is useful for automated analysis, context enrichment, and intelligent processing of log data. It uses Azure OpenAI API to analyze field content, and supports system context messages for customized analysis, temperature control for response variation, and token limits for response length management.

API responses are cached to improve performance.

caution

API calls add latency to event processing.

Azure deployment integration is provided.

warning

Resource name and deployment name must match your Azure setup. Invalid resource or deployment names will cause processing errors. Make sure your Azure OpenAI resource has the required model deployments

Developer messages help guide AI's analysis, and lower temperature values produce more focused responses.

note

Consider rate limits and costs for high-volume processing, as long token limits control response length and costs and input texts may hit token limits.

warning

API keys must be securely stored and accessed.

Examples

Basic

Analyzing a Cisco device log...

{
  "message": "Interface GigabitEthernet0/1 is down"
}

azureai:
  - field: message
  - target_field: analysis
  - api_key: "${AZURE_OPENAI_API_KEY}"
  - resource_name: "myopenai-resource"
  - deployment_name: "gpt4-deployment"
  - developer_msg: "You are an expert in Cisco networking. Analyze this log message."

adds information to the event:

{
  "message": "Interface GigabitEthernet0/1 is down",
  "analysis": "Network interface GigabitEthernet0/1 has lost connectivity. This could indicate a physical connection issue, port configuration problem, or upstream network failure. Immediate investigation recommended."
}

Precision

Fine-tuning analysis parameters...

{
  "error_msg": "Authentication failed for user admin"
}

azureai:
  - field: error_msg
  - target_field: security_analysis
  - api_key: "${AZURE_OPENAI_API_KEY}"
  - resource_name: "myopenai-resource"
  - deployment_name: "gpt4-deployment"
  - temperature: 0.2
  - max_tokens: 100
  - developer_msg: "You are a security analyst. Provide a brief analysis of this error."

produces more focused security insights:

{
  "error_msg": "Authentication failed for user admin",
  "security_analysis": "Potential security incident: Failed authentication attempt for privileged 'admin' account. Verify if part of a brute force attempt. Check source IP and implement account lockout if needed."
}

Conditionals

Analyzing only critical errors...

{
  "message": "Critical: Database corruption detected",
  "level": "critical"
}

azureai:
  - if: "ctx.level == 'critical'"
  - field: message
  - target_field: ai_insight
  - api_key: "${AZURE_OPENAI_API_KEY}"
  - resource_name: "myopenai-resource"
  - deployment_name: "gpt4-deployment"

is preferable due to level:

{
  "message": "Critical: Database corruption detected",
  "level": "critical",
  "ai_insight": "Severe database issue detected: Corruption may lead to data loss or system instability. Immediate database recovery procedures should be initiated. Consider failover to backup if available."
}

Custom API

Using a specific API version...

{
  "message": "Error code 0x8000ffff"
}

azureai:
  - field: message
  - target_field: analysis
  - api_key: "${AZURE_OPENAI_API_KEY}"
  - resource_name: "myopenai-resource"
  - deployment_name: "gpt4-deployment"
  - api_version: "2024-02-15-preview"

produces results specific to that version:

{
  "message": "Error code 0x8000ffff",
  "analysis": "Generic Windows system error (E_UNEXPECTED). This indicates an unexpected failure in the system. Check system logs for more details and recent changes that might have caused this error."
}

Synopsis​

Schema​

Configuration​

Details​

Examples​

Basic​

Precision​

Conditionals​

Custom API​