From 7ded8ce09cef300a897ea0397d28d3f4e65d0c0b Mon Sep 17 00:00:00 2001 From: chetanchoudhary-sumo Date: Thu, 16 Oct 2025 10:25:11 +0530 Subject: [PATCH 1/3] updating FER for Network Load Balancer --- docs/integrations/amazon-aws/application-load-balancer.md | 2 +- docs/integrations/amazon-aws/network-load-balancer.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/integrations/amazon-aws/application-load-balancer.md b/docs/integrations/amazon-aws/application-load-balancer.md index b8f522eee3..f40c7318c0 100644 --- a/docs/integrations/amazon-aws/application-load-balancer.md +++ b/docs/integrations/amazon-aws/application-load-balancer.md @@ -144,7 +144,7 @@ json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", |"" as namespace | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" | parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, loadbalancer, f1 nodrop -| if(loadbalancertype matches "network", "aws/nlb", if(balancertype matches "net", "aws/nlb", namespace)) as namespace +| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype matches "net", "aws/networkelb", namespace)) as namespace | if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace | where namespace="aws/applicationelb" or isEmpty(namespace) | toLowerCase(loadbalancer) as loadbalancer diff --git a/docs/integrations/amazon-aws/network-load-balancer.md b/docs/integrations/amazon-aws/network-load-balancer.md index e0757ac04c..4df877fec9 100644 --- a/docs/integrations/amazon-aws/network-load-balancer.md +++ b/docs/integrations/amazon-aws/network-load-balancer.md @@ -72,9 +72,9 @@ json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", |"" as namespace | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" | parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, networkloadbalancer, f1 nodrop -| if(loadbalancertype matches "network", "aws/nlb", if(balancertype matches "net", "aws/nlb", namespace)) as namespace +| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype matches "net", "aws/networkelb", namespace)) as namespace | if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace -| where namespace="aws/nlb" or isEmpty(namespace) +| where namespace="aws/networkelb" or isEmpty(namespace) | toLowerCase(networkloadbalancer) as networkloadbalancer | fields region, namespace, networkloadbalancer, accountid ``` From 210b8c5b58386bc4fb8c11a12f90be3b75234ee5 Mon Sep 17 00:00:00 2001 From: chetanchoudhary-sumo Date: Thu, 16 Oct 2025 23:09:49 +0530 Subject: [PATCH 2/3] Few more updates to FERs of ALB and NLB --- .../amazon-aws/application-load-balancer.md | 16 +++++++++------- .../amazon-aws/network-load-balancer.md | 16 +++++++++------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/docs/integrations/amazon-aws/application-load-balancer.md b/docs/integrations/amazon-aws/application-load-balancer.md index f40c7318c0..fc49e6b8e0 100644 --- a/docs/integrations/amazon-aws/application-load-balancer.md +++ b/docs/integrations/amazon-aws/application-load-balancer.md @@ -140,14 +140,16 @@ Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.ama ``` ```sql title="Parse Expression" -json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, api_version nodrop -|"" as namespace +json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" -| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, loadbalancer, f1 nodrop -| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype matches "net", "aws/networkelb", namespace)) as namespace -| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace -| where namespace="aws/applicationelb" or isEmpty(namespace) -| toLowerCase(loadbalancer) as loadbalancer +| "" as namespace +| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, loadbalancer1, f1 nodrop +| parse field=listenerarn ":listener/*/*/*/*" as balancertype2, loadbalancer2, f1, f2 nodrop +| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace +| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace +| if (!isEmpty(loadbalancer), loadbalancer, if (!isEmpty(loadbalancer), loadbalancer1, loadbalancer2)) as loadbalancer +| where namespace="aws/applicationelb" or isEmpty(namespace) +| toLowerCase(loadbalancer) as loadbalancer | fields region, namespace, loadbalancer, accountid ``` diff --git a/docs/integrations/amazon-aws/network-load-balancer.md b/docs/integrations/amazon-aws/network-load-balancer.md index 4df877fec9..6fd0af0e85 100644 --- a/docs/integrations/amazon-aws/network-load-balancer.md +++ b/docs/integrations/amazon-aws/network-load-balancer.md @@ -68,14 +68,16 @@ Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.ama ``` ```sql title="Parse Expression" -json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, api_version nodrop -|"" as namespace +json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" -| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, networkloadbalancer, f1 nodrop -| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype matches "net", "aws/networkelb", namespace)) as namespace -| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace -| where namespace="aws/networkelb" or isEmpty(namespace) -| toLowerCase(networkloadbalancer) as networkloadbalancer +| "" as namespace +| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, networkloadbalancer1, f1 nodrop +| parse field=listenerarn ":listener/*/*/*/*" as balancertype2, networkloadbalancer2, f1, f2 nodrop +| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace +| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace +| where namespace="aws/networkelb" or isEmpty(namespace) +| if (!isEmpty(networkloadbalancer), networkloadbalancer, if (!isEmpty(networkloadbalancer1), networkloadbalancer1, networkloadbalancer2)) as networkloadbalancer +| toLowerCase(networkloadbalancer) as networkloadbalancer | fields region, namespace, networkloadbalancer, accountid ``` From cfdf6848abdff8feea223ce73c25accb6b0b5582 Mon Sep 17 00:00:00 2001 From: chetanchoudhary-sumo Date: Thu, 16 Oct 2025 23:52:39 +0530 Subject: [PATCH 3/3] fixing alb fer --- docs/integrations/amazon-aws/application-load-balancer.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/integrations/amazon-aws/application-load-balancer.md b/docs/integrations/amazon-aws/application-load-balancer.md index fc49e6b8e0..38c4ea2403 100644 --- a/docs/integrations/amazon-aws/application-load-balancer.md +++ b/docs/integrations/amazon-aws/application-load-balancer.md @@ -140,15 +140,15 @@ Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.ama ``` ```sql title="Parse Expression" -json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop +json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" | "" as namespace | parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, loadbalancer1, f1 nodrop | parse field=listenerarn ":listener/*/*/*/*" as balancertype2, loadbalancer2, f1, f2 nodrop | if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace -| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace -| if (!isEmpty(loadbalancer), loadbalancer, if (!isEmpty(loadbalancer), loadbalancer1, loadbalancer2)) as loadbalancer +| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace | where namespace="aws/applicationelb" or isEmpty(namespace) +| if (!isEmpty(loadbalancer), loadbalancer, if (!isEmpty(loadbalancer1), loadbalancer1, loadbalancer2)) as loadbalancer | toLowerCase(loadbalancer) as loadbalancer | fields region, namespace, loadbalancer, accountid ```