Label Enrich processor — enrich alert event labels by looking up additional fields from an external data source based on existing labels.
Overview
The Label Enrich event processor is a component for enriching alert event label information. Based on the event’s existing labels, it looks up and appends additional label information from an external data source (such as a database table), providing richer context for alert events.
Main Features
- Label enrichment: looks up extra labels from a configured data source based on existing labels
- Flexible mapping: supports renaming and custom mapping of label keys
- High-performance lookup: uses an in-memory cache for fast label lookup and matching
Use Cases
- Geo enrichment: based on IP address or data-center code, add city/region geo-info labels
- Resource attribute enrichment: based on hostname or instance ID, add business line, environment type, owner, etc.
- Hierarchy enrichment: based on namespace or service name, add project/team/department org-structure info
Configuration
Basic configuration
When creating the processor, the following fields appear at the top of the page:
| Field | Description |
|---|---|
| Type | Select Label Enrich. |
| Label source | Currently supports built-in label dictionary (default). External dictionaries can be added in the future. |
| Dictionary name | Pick a specific dictionary from the drop-down, e.g. store info. |
Tip: the system first builds a query index from the “source labels”, looks up matching records in the dictionary, then writes the looked-up fields to the event according to the “new labels” config.
Source label configuration (index key)
This area specifies what the lookup index consists of. Each row maps a “dictionary field” to an “event label”.
| Column | Purpose | Example |
|---|---|---|
| Field in dictionary | The column name in the dictionary used as the index | storeCode |
| Corresponding label in event | The existing label key in the alert event | storeCode |
After multiple rows are configured, the system concatenates the index key by:
- Take each row’s dictionary field=event’s corresponding label value; if the label is missing, the whole lookup is skipped.
- Sort all key-value pairs alphabetically and join with commas.
Concatenation example:
storeCode=001,namespace=prod
New label configuration (result mapping)
In this area, select the fields to write back to the event. Each row is a write rule:
| Parameter | Description | Example |
|---|---|---|
| Dictionary field | The column name in the lookup result, e.g. cityName |
cityName |
| Rename label key | Toggle. When off, the dictionary field is used as the label key; when on, enter a new label key | On -> city |
A common practice:
- Enable
Rename label keyto replace the business-agnostic field name with a business-friendly label key, e.g.cityName -> city.
Use the "+" button on the right to add more label rows to write.
Test
After configuration, click the Test button at the bottom and enter a set of event labels to test (e.g. storeCode=001,namespace=prod) to see which fields the system retrieves from the dictionary and what is eventually written into the event.
Examples
Scenario: host label enrichment
Source labels:
- hostname -> hostname
New labels:
- department -> dept
- owner -> owner
- environment -> env
Effect:
Original event labels: {hostname: "web-server-01"}
Enriched labels: {hostname: "web-server-01", dept: "技术部", owner: "张三", env: "production"}
Notes
- Index completeness: ensure all configured source labels exist in the event, otherwise the lookup will be skipped
- Field matching: ensure the source key names in the new-label configuration exactly match the fields in the data source
- Label conflict: if a new label key conflicts with an existing event label, the new value overrides the original
Troubleshooting
Common issues
Issue 1: labels are not enriched
- Check whether all source labels exist in the event
- Verify the index key format is correct
Issue 2: label values are incorrect
- Confirm the field names in the data source match the configuration
- Check the data-source update timestamp
- Verify the rename configuration is correct
By properly configuring and using the Label Enrich processor, you can significantly increase the information richness of alert events, providing more valuable context for subsequent alert handling and analysis.
