Create Event Types

An event type specifies a query that you run to bring data into LogicHub for analysis and scoring. Event types can draw from any of the following source types:

  • Results of a query on an external source, such as Splunk, SumoLogic, or Elasticsearch.
  • Results from a step in a LogicHub playbook.
  • System events created by LogicHub to ingest data from activity in the LogicHub system. For more information, see System event types.

Note: To view or set up event types, you must be in a group that has Event Type permission. For more information, see Manage users.

Before you Begin

If you're setting up an event based on query to an external source, you must first set up a connection to the source. For instructions, see Create connections.

Create an Event Type

  1. Select My Library > Event Types.
  2. Click New.
  3. Enter a name to identify the event type. The name can consist of alphanumeric characters and underscores ( _ ). The first character can't be a number.
  4. To use this event type with other environments, select the Templatization checkbox. Depending on the connection type, you can generate a query from a template or edit an existing template. See 'Templates' in this topic.
  5. Click Playbook/Node to based the event type on a playbook step or click Query to base the event type on a query to an external connection. For details, see 'Create an event type from an external connection' or 'Create an event type from the output of a playbook node' in this topic.
  6. After configuring the query for the connection or selecting a playbook and node, click Submit.

The Event Types page opens to show the list of event types. Click an entry to edit the settings, or click the trash can icon to delete an entry.

The event type is now available for use when creating a playbook. When using Easy Mode to create a playbook, you can search for the event type by name and add it. See Create a playbook in Easy Mode. In Advanced Mode, a playbook typically starts with an event type. See Create a playbook in Advanced Mode.

Use Templates with an Event Type

When you select the Templatization checkbox, options are displayed to configure templates.

Create an Event Type from an External Connection

  1. When creating an event, type, click Query.
  2. Select a connection from the dropdown list. For instructions on creating connections, see Create connections.
  3. Enter or paste the query that you want to use in the Query field, or click Configure Query Template to create templatized queries that are based on the type of connection. For templatized queries:
    • Click Configure Query Template.
    • Select the connection type and source (playbook or query) from the Connection Types dropdown lists. For the connection type, you can connect to your SIEM (SumoLogic or Splunk), Elasticsearch, a file, or a directory. For the source, you can choose a playbook step or a query.
    • Enter the query in the space provided. To insert a parameter into the query, click Insert Parameter then Create a New Parameter. Select the parameter, enter an optional description, and click Submit. The parameter is added to the query. Add additional new or existing parameters as needed.


This screenshot shows two queries: one with file as the connection type and one with splunk as the connection type. You select the connection type and add the query and parameters.

When you create a parameter, it is listed above the template definition area.

To edit or delete the parameter, click the More icon (...) and select an option. When editing a parameter, you are given the option of updating it for all event types or just the selected one.

When you have finished defining queries, click Submit to return to the Add Event Type page. In the Query area, a message indicates that a query has been defined using templates. Use the query area to specify any values for the query parameters.

  1. Optionally specify a select a date-time range and select any column names that you want to include in the query results, even if the query returns no data. Use a comma-separated list to specify multiple columns.

Example: Elasticsearch

When you add an event type based on ElasticSearch 6 or ElasticSearch 7, the default query is filled in automatically:
select * from <index_name> where <timestamp_field> >= {{start_time}} and <timestamp_field> <= {{end_time}} *

<index_name> is the Elasticsearch index
<timestamp_field> is the timestamp field
start_time and end_time are the playbook or batch start and end time

select * from testindex where timestamp >= {{start_time}} and timestamp <= {{end_time}}

Alternatively, you can use the following Elasticsearch query:
(NOTE: applicable for both ElasticSearch 6 and ElasticSearch 7)

                  "gte": {{ start_time }},
                  "lte": {{ end_time }} 

Example: Devo

When you add an event type based on Devo, the following default query is filled in automatically. You can accept or modify the query.
from select *

Example: Directory

The JSON specification of the directory data source type has the following schema. Learn more.

  timestampColumn:  Option[String] (optional name of the timestamp column)
  timestampPattern: Option[String] (optional Java date/time format string)
  additionalFiles:  Array[String]  (array of files constituting the data source)
  extractAsRaw: Boolean (applicable ONLY to json file types - extract as json events with a message time field)

Create an Event Type from the Output of a Playbook Node

  1. When creating an event, type, click From Playbook/Node.
  2. Select the playbook from the dropdown list.
  3. Select the node from which you want to source the data. You can create multiple event types with the same source node.

NOTE: You can also start creating an event type directly from a node in a playbook. To open the Add Event Type settings from a playbook, select + for the node on the map and click Create Event Type.

Manage Event Types

To manage your event types, go to the My Library > Commands page. See Manage content in your library. For information on sharing event types with other users and groups, see Share content from your library.

Did this page help you?