Filtering
The filtering step executes all search tagging and alert rules.
| Enrichment name | filtering |
|---|---|
| Stage | processing |
Table of Contents
Overview
The filtering step runs at the end of the pipeline and executes all search tagging and alert definitions.
Configuration
There are no configuration options for this enrichment, with the exception of the enabled property to enable and disable it.
Asynchronous Processing
Search tagging, especially when used with Smart Filters, can be a resource-intensive process. For that reason, this step is run asynchronously in the Pipeline. As a result items that are searchable and displayed may not yet have their search tags applied.
The default configuration is to execute all filter steps once there is a batch of 20 items or one minute has passed since an item came in. As a result, the tagging delay by default is around one minute. These settings can be changed in the filtering.ini configuration file on the Squirro cluster nodes.