Platform
Solution
Industry
Role
There is no result.
PRODUCT DOCUMENTATION
SHARE TO SOCIAL

Edwin AI Integration YAML File

Last updated - 12 August, 2025

In this article

The mappings.yaml file defines how events from third-party systems are mapped to Edwin AI’s Common Event Format (CEF). This configuration ensures that incoming event data is standardized and usable across Edwin AI’s processing pipeline.

While not all third-party integrations require a mapping YAML file, it is necessary for any integration that sends event data in a non-standard format or requires transformation before ingestion by Edwin. Integrations like Splunk and similar platforms benefit from using a mapping file to ensure compatibility and flexibility.

Mapping File Structure

All YAML files must include the following:

  • Mappings—Maps fields from third-party events to Edwin’s standardized fields using JSONPath expressions.
    event_ci: ["$.configurationItem.name"]
    event_description:
      string_template: "sample text {variable1} {v2}"
      variable1: ["$.alert_name"]
      v2: ["$.not_exist", "$.configurationItem.name", "$.source"]
    The mappings block includes the following event fields definitions:
Event Field NameDescription
event_ciThe host or monitored resource. (For example, hostname, IP)
event_objectThe instance on the resource. (For example, an “instance” in LogicMonitor)
event_sourceSource of the event. (For example, splunk)
event_nameName describing the alert condition.

Recommendation: Make name short and specific.

event_severitySeverity of the event. (For example, criticalmajorminor)
event_descriptionShort summary of the alert.
event_details(Optional) Long description of the alert.
event_timeTimestamp of the event. Auto-generates as current timestamp.Note: Does not support defaults.
event_idUnique identifier. Must be a valid UUID value, and auto-generates as UUID if missing.

Note: Does not support defaults..

event_domain(Optional) Tenant ID or Customer ID. (multi-tenant use cases)
*_link fieldsURLs pointing to the resource or event in the source system.

You can define fallback paths using multiple JSONPath strings. The first valid match is used.

Note: Not all third-party integrations require every event field. For more information, see your specific integration document.

  • Defaults—Defaults are used when no mapping resolves to a value or the value is invalid.
    The following code block defines fallback values used when mappings cannot extract valid data: 
    
event_ci: "defaultEventCI"
event_severity: 1
event_source: "splunk"
  • Enrichments—Custom fields that supplement the core event with additional metadata.
    Common enrichments include datapoints such as location, environment (for example, development or production), and the business service or application supported by the alerting resource.
    The following code block defines enrichment fields, including a string template:
    test_enrichment: ["$.obj[0].name"]
    test_enrichment_template:
      string_template: "enrichment template {v1}"
      v1: ["$.alert_name"]

Note: Field names can be arbitrary.

  • Transforms—Transforms map non-standard values (from the source system) to standardized values used by Edwin AI. 
    The following code block defines how raw severity values are normalized into Edwin’s standard severity levels:
    event_severity:
  critical: ["crt", "critical", 5]
  major: ["mjr", "major", 4]

    If a severity doesn’t match a known value, it falls back to the following: 
    defaults.event_severity
  • Timestamps—Define how to interpret event_time.
    The following code block specifies the timestamp format and timezone offset interpretation:
    type: "datetime"
    day_first: false
    year_first: false
    offset:
      BST: 3600
      PST: -28800
      CST: -21600

Note: Supported types: datetime (for example, 2025-07-01T10:30:00Z) or unix (for example, 1722072600).

Recommendation: Use the day_first, year_first, and offset options only when the type is datetime. These options are mutually exclusive—an error occurs if more than one is set to true. For more information, see parser Functions from dateutil.

Use the offset option when timestamps include offset abbreviations (for example, PST or CST). Provide a key-value mapping of time zone name to offset from UTC (in seconds or minutes). For example, “{PST: -28800, CST: -21600}.”

Although every block is required for a valid file, each block has its own rules for validity.

Recommendation: The keys in the YAML file are case-sensitive, use lowercase consistently to avoid errors.

Recommendation: Use sandbox environments for testing your YAML structure before implementing.

The following code block displays a complete YAML file with all required blocks:

mappings:
  event_ci: ["$.configurationItem.name"]
  event_object: ["$.obj[1].name"]
  event_source: ["$.source"]
  event_name: ["$.alert_name"]
  event_description:
    string_template: "sample text {variable1} {v2}"
    variable1: ["$.alert_name"]
    v2: ["$.not_exist", "$.configurationItem.name", "$.source"]
  event_severity: ["$.event_severity"]
  event_time: ["$.timestamp"]
  event_id: ["$.event.identifier"]
 
defaults:
  event_ci: "defaultEventCI"
  event_object: "defaultEventObject"
  event_source: "splunk"
  event_name: "defaultEventName"
  event_description: "default event description"
  event_severity: 1
 
enrichments:
  test_enrichment: ["$.obj[0].name"]
  test_enrichment_template:
    string_template: "enrichment template {v1}"
    v1: ["$.alert_name"]
 
transforms:
  event_severity:
    critical: ["crt", "critical", 5]
    major: ["mjr", "major", 4]
    minor: ["min"]
    warning: ["wrn"]
    indeterminate: ["sdt"]
    clear: [0, 255]
 
 
timestamps:
  type: "datetime"
  day_first: false
  year_first: false
  offset:
    BST: 3600
    PST: -28800