The Switch unit is a Processor type unit.
A variation of the Filter unit, this unit can be configured to include as many output ports as required. Each output port defined will have an associated predicate or condition to be met. These conditions and their corresponding output port are called cases. Names must be unique, including standard ports (default, error).
An event enters through the in port. The various predicates are evaluated sequentially, until reaching one that returns a true result. Then, the event is output via the out port associated with the predicate.
If no predicate is met, the event is sent to the default port.
If there are errors produced during the evaluation, these events are enriched with two additional fields, error and exception, and the event is output through the error port.
After dragging this unit into the Flow canvas, double-click it to access its configuration options. The following table describes the configuration options of this unit:
|General||Name||Enter a name for the unit. It must start with a letter, and cannot contain spaces. Only letters, numbers, and underscores are allowed.|
User-defined cases. Each one defines a condition (when) and a destination (to). All mentioned destinations correspond to newly-created output ports.
Click the plus icon to open the list.
|When||Enter the predicate (condition) to be evaluated using the language specified.|
|To||Enter a unique name for the output port for events satisfying the predicate. It must start with a letter, and cannot contain spaces. Only letters, numbers, and underscores are allowed.|
|in||All events enter through this port.|
|User-defined||Output ports configured with their associated predicates.|
|default||Outputs events that evaluated as "false". i.e. do not meet case conditions.|
|error||Outputs all events that produced an error during evaluation. These events have two additional fields, error, and exception, that describe the error.|
In this example, we want to gather activity events related to two different users in our domain and send them to two different sinks (an email address and a Devo table).
To do it, first, add a Devo Source unit and configure it to send events from the siem.logtrust.web.activity data table. Then, link it to a Switch unit and add 2 different cases to extract activity events from the required users. Finally, link the two ports defined in the Switch unit to an Email Sink and a Devo Sink with the required email address and Devo table where you want to send the events.
This is the configuration required for the Switch unit:
You can try this flow by downloading this JSON file and uploading it to your domain using the Import option.