Understanding Business Impact Tagging
TL;DR
The Stream pack includes a pre-configured pipelines & routes that automatically tags every event with a business_impact field. Let's explore how it works, test it with sample data, and learn how to customize it for your needs.
The Problem: Everything Looks the Same
Right now, your web logs are just… logs. Without the pack, Stream sees them all as equal. But we know better:
- 500 Internal Server Error = CRITICAL (service is down!)
- 401 Unauthorized = SECURITY (someone trying to access what they shouldn't)
- 404 Not Found = USER EXPERIENCE (broken links hurt conversion)
- 200 OK = ROUTINE (business as usual)
These events need different handling. Critical events go to your expensive, fast SIEM. Routine events go to cheap cold storage. Everything in between gets tiered appropriately.
The Solution: The parserlogs Pipeline
The Stream pack you installed includes a pipeline called parserlogs that does two things:
- Parses the raw log to extract structured fields
- Tags each event with a
business_impactfield based on HTTP status codes
Let's explore how it works.
Step 1: Open the Pre-Built Pipeline
- In Stream, navigate to Processing > Pipelines
- Find the
parserlogspipeline in the list (it came from the pack) - Click on it to open
You should see two functions already configured:
- Parser function - Extracts fields from Apache Common Log Format
- Eval function - Creates the
business_impactfield
Let's examine each one.
Step 2: Understand the Parser Function
- Click into the Parser function (first one in the pipeline)
- Observe the configuration:
- Operation Mode: Extract
- Type: Common Log Format (Apache)
- Fields extracted:
clientip,user,timestamp,request,status,bytes
- Don't change anything yet - just observe how it's configured
This Parser function takes raw Apache logs like:
87.240.128.18 - - [10/Nov/2025:17:04:04 +0000] "GET /product.screen HTTP/1.1" 200 3448
And extracts structured fields:
clientip:87.240.128.18status:200request:GET /product.screen HTTP/1.1bytes:3448
You can't make routing decisions based on fields that don't exist yet. The Parser extracts the status field so the Eval function can use it to determine business impact.
This is a fundamental pattern in Stream: Pre-Processing Parse → Route → Enrich
Step 3: Understand the Eval Function
- Click into the Eval function (second one in the pipeline)
- Look at the Value Expression for the
business_impactfield:status >= 500 && status <= 599 ? 'critical' :
status == 401 || status == 403 ? 'security' :
status == 404 ? 'user_experience' :
'routine' - Don't change anything yet - just understand the logic
Understanding the Logic
Let's break down what this expression does:
status >= 500 && status <= 599 ? 'critical' : // Step 1
status == 401 || status == 403 ? 'security' : // Step 2
status == 404 ? 'user_experience' : // Step 3
'routine' // Step 4
This is a nested ternary operator. It evaluates like this:
Step 1: Is status 5xx? → Tag as critical
- 500 Internal Server Error
- 502 Bad Gateway
- 503 Service Unavailable
- These indicate system failures that need immediate attention
Step 2: Is status 401 or 403? → Tag as security
- 401 Unauthorized: Authentication required
- 403 Forbidden: Valid auth but insufficient permissions
- These indicate potential security issues or misconfigurations
Step 3: Is status 404? → Tag as user_experience
- 404 Not Found: Broken links or missing resources
- Doesn't break the site, but hurts user experience and SEO
Step 4: Everything else? → Tag as routine
- 200 OK: Successful requests
- 301/302 Redirects: Normal navigation
- These are business-as-usual events
The pack chose these categories, but you can customize them. What's "critical" for an e-commerce site might be different from an API service. The beauty of this approach is that YOU define what "business impact" means for your organization.
Step 4: Test the Pipeline with Sample Data
Let's see the pipeline in action with real sample data.
- Still in the
parserlogspipeline view - On the right side, click Sample Data
- Click Simple
- Select the
web.logcapture (should be available from yourdatagensource) - Click through a few events in the preview
- Observe the fields that appear:
- Before Parser: Just
_raw(the raw log line) - After Parser:
clientip,status,request,bytes, etc. - After Eval:
business_impactfield appears with values likecritical,security,user_experience, orroutine
- Before Parser: Just
As you click through events, pay attention to how different status codes result in different business_impact values:
| Status | business_impact | Why |
|---|---|---|
| 200 | routine | Successful request |
| 404 | user_experience | Broken link |
| 401 | security | Auth failure |
| 500 | critical | Server error |
This single field (business_impact) is what drives all the routing decisions you'll see in the next module.
Step 5: Experiment with the Logic (Optional)
Want to customize the business impact logic for your organization? Here's how.
- In the Eval function, click Edit
- Modify the Value Expression. For example, to add 400 errors to security:
status >= 500 && status <= 599 ? 'critical' :
status == 400 || status == 401 || status == 403 ? 'security' :
status == 404 ? 'user_experience' :
'routine' - Click Save
- Observe the sample data again - 400 errors should now be tagged
security - When done experimenting, you can revert by clicking Reset or re-importing the pack
E-commerce site (shopping cart attacks are security issues):
status >= 500 ? 'critical' :
(status == 400 || status == 401 || status == 403) ? 'security' :
status == 404 ? 'user_experience' :
'routine'
API-heavy app (rate limiting is a security concern):
status >= 500 ? 'critical' :
(status == 401 || status == 403 || status == 429) ? 'security' :
status == 404 ? 'user_experience' :
'routine'
Content site (404s aren't that important):
status >= 500 ? 'critical' :
(status == 401 || status == 403) ? 'security' :
'routine'
The key is: adjust the logic to match what "business impact" means for YOUR business.
How the Pipeline Connects to Routing
This business_impact field is the foundation of everything that follows:
- Parser extracts
statusfield from raw logs - Eval creates
business_impactfield based on status - Routes use
business_impactto make routing decisions:business_impact=="critical"→ Tier 1 (SIEM)business_impact=="security"→ Tier 2 (Lakehouse)business_impact=="routine"→ Tier 3 (Lake)
In the next module, you'll explore those pre-configured routes and see this in action.
Optional: Add More Enrichments
The pack keeps the pipeline simple (Parse → Tag), but you could add more functions if needed:
Request URI Parsing
Want to extract just the path from the request?
Add an Eval function:
// Name: request_uri_path
// Value:
request.match(/^[A-Z]+\s(\S+)/)[1]
This extracts /product.screen from GET /product.screen HTTP/1.1
Geographic Enrichment
If you have an IP lookup database, you could add:
Add a Lookup function:
- Lookup file: Your IP geolocation database
- Match field:
clientip - Output fields:
country,city,ispA free one is on https://ipinfo.io/
Performance Categorization
If you track response times:
Add an Eval function:
// Name: performance_category
// Value:
response_time_ms < 100 ? 'excellent' :
response_time_ms < 500 ? 'good' :
response_time_ms < 2000 ? 'slow' :
'critical'
But for now, business_impact is all we need to demonstrate the power of tiering.
What You've Learned
At this point, you understand:
- ✅ How the Parser function extracts structured fields from raw logs
- ✅ How the Eval function creates the
business_impactfield - ✅ The logic that categorizes events as critical/security/UX/routine
- ✅ How to test the pipeline with sample data
- ✅ How to customize the logic for your business needs
This business_impact tag is the key to intelligent, automated routing. Next, you'll see how the routes use this tag to send events to the right tier.
Next: Exploring the Multi-Tier Routes →