OpenAI

Enrichment AI Powered

Synopsis

Enriches events by sending field content to OpenAI's API for analysis and stores the response.

Schema

openai:
  - field: <ident>
  - api_key: <string>
  - target_field: <ident>
  - system_msg: <string>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - model: <string>
  - temperature: <number>
  - max_tokens: <number>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

Field	Required	Default	Description
field	Y	-	Field containing content to analyze
api_key	Y	-	OpenAI API key for authentication
target_field	N	field	Field to store the API response
system_msg	N	-	System context message for the AI
description	N	-	Explanatory note
if	N	-	Condition to run
ignore_failure	N	false	Continue if API call fails
ignore_missing	N	false	Continue if source field doesn't exist
model	N	gpt-3.5-turbo	OpenAI model to use
temperature	N	0.7	Response randomness (0-1)
max_tokens	N	1000	Maximum response length
on_failure	N	-	See Handling Failures
on_success	N	-	See Handling Success
tag	N	-	Identifier

Details

This processor is useful for automated analysis, context enrichment, and intelligent processing of log data. It supports system context messages generated for analysis, temperature control for response variation, and token limits for response length management.

System messages help guide the AI's analysis.

Multiple models can be accessed, and responses can be configured. Lower temperature values produce more focused responses.

Token limits control response length and costs. Consider rate limits and costs for high-volume processing, as long input texts may hit token limits.

note

API responses are cached to improve performance since API calls add latency to event processing.

Error recovery options and success/failure handing are also available.

warning

API keys should be securely stored and accessed.

Examples

Basic

Analyzing a Cisco device log...	{ "message": "Interface GigabitEthernet0/1 is down" } openai: - field: message - target_field: analysis - api_key: "${OPENAI_API_KEY}" - system_msg: "You are an expert in Cisco networking. Analyze this log message."
adds information to the event:	{ "message": "Interface GigabitEthernet0/1 is down", "analysis": "Network interface GigabitEthernet0/1 has lost connectivity. This could indicate a physical connection issue, port configuration problem, or upstream network failure. Immediate investigation recommended." }

Precision

Fine-tuning analysis parameters...	{ "error_msg": "Authentication failed for user admin" } openai: - field: error_msg - target_field: security_analysis - api_key: "${OPENAI_API_KEY}" - model: "gpt-4" - temperature: 0.2 - max_tokens: 100 - system_msg: "You are a security analyst. Provide a brief analysis of this error."
produces more focused security insights:	{ "error_msg": "Authentication failed for user admin", "security_analysis": "Potential security incident: Failed authentication attempt for privileged 'admin' account. Verify if part of a brute force attempt. Check source IP and implement account lockout if needed." }

Conditionals

Analyzing only critical errors...	{ "message": "Critical: Database corruption detected", "level": "critical" } openai: - if: "ctx.level == 'critical'" - field: message - target_field: ai_insight - api_key: "${OPENAI_API_KEY}"
is preferable due to level:	{ "message": "Critical: Database corruption detected", "level": "critical", "ai_insight": "Severe database issue detected: Corruption may lead to data loss or system instability. Immediate database recovery procedures should be initiated. Consider failover to backup if available." }

Error Handling

Anticipating API failures...	{ "message": "System alert" } openai: - field: message - api_key: "invalid-key" - ignore_failure: true - on_failure: - set: field: analysis_status value: "failed"
continues execution:	{ "message": "System alert", "analysis_status": "failed" }