The Gravwell pipeline extracts data from entries into "enumerated values" for ease of manipulation.
The first module of a Gravwell search pipeline sees only raw entries, which consist of a timestamp, a tag, and a chunk of binary data. The data might be an entire network packet, or a JSON-encoded Reddit comment, or a single syslog entry. Each successive module in the pipeline has the opportunity to tack on enumerated values to the entry. An enumerated value is a single piece of data created and used within the pipeline. For instance, the "packet" module (https://dev.gravwell.io/docs/#!search/packet/packet.md) can extract pieces of information from raw network packets; each piece becomes a separate enumerated value. So saying "packet ipv4.SrcIP tcp.SrcPort" will create two enumerated values for each entry: one named "SrcIP" containing an IP address and one named "SrcPort" containing an integer port number. You can read more about enumerated values and searching in general in the search documentation (https://dev.gravwell.io/docs/#!search/search.md)
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article