Skip to main content

Routes: Quick Start

This guide will help you get started with routes by walking you through some common scenarios.

Basic Setup

The simplest route that can be defined sends data directly without processing:

routes:
  - name: basic_forward
    description: "Forward all logs to storage"
    targets:
      - name: storage

Pipelines

Single

We can add some basic processing with a pipeline before we forward the data:

routes:
  - name: process_logs
    description: "Process and store logs"
    pipelines:
      - name: normalize_logs
    targets:
      - name: storage

Multiple

Or we can process data with several pipelines:

routes:
  - name: complex_processing
    description: "Multi-stage processing"
    pipelines:
      - name: normalize
      - name: enrich
      - name: aggregate
    targets:
      - name: analytics

Selection

Device-Based

We can route data from specific device types:

routes:
  - name: syslog_route
    if: device.type == 'syslog'
    pipelines:
      - name: syslog_normalize
    targets:
      - name: syslog_storage

  - name: windows_route
    if: device.type == 'windows'
    pipelines:
      - name: windows_normalize
    targets:
      - name: windows_storage

Dataset-Based

Or we can route it from specific datasets:

routes:
  - name: security_dataset
    if: dataset.name == 'security_logs'
    pipelines:
      - name: security_process
    targets:
      - name: security_analytics

  - name: performance_dataset
    if: dataset.name == 'performance_metrics'
    pipelines:
      - name: metrics_process
    targets:
      - name: metrics_platform

Multi-Target

The same data can be sent to multiple targets (mirroring):

routes:
  - name: mirror_logs
    description: "Store logs in multiple locations"
    pipelines:
      - name: normalize
    targets:
      - name: primary_storage
      - name: backup_storage
      - name: analytics_platform

Conditionals

Simple

We can filter the data to be forwarded using conditions:

routes:
  - name: firewall_logs
    description: "Process firewall logs"
    if: device.type == 'firewall'
    pipelines:
      - name: firewall_pipeline
    targets:
      - name: security_storage

Complex

For specific scenarios, complex filtering can be applied:

routes:
  - name: critical_errors
    if: log.severity == 'critical' && device.type == 'production'
    pipelines:
      - name: urgent_process
    targets:
      - name: alerts
      - name: storage

Verify that the route's conditions are correctly expressed and that the pipelines are configured, ensure that the targets are accessible, monitor the route's metrics, and review the logs.