On 12/04/2011 11:31 PM, Alan Deasy wrote: > Hi > > Thanks to Risto for SEC. It has been a great success in one of the banks here. > > An app developer recently approached me to ask if it is possible for SEC to > monitor multiple occurrences of an event, but if one is different, then reset > the count. > > For example: > > 10 occurrences of "KP TechFault" within 60secs triggers an alert. But if just > "KP" arrives within that time frame, then the count and window are reset. > > Any pointers in the right direction are greatly appreciated. > > - Alan
hi Alan, resetting both the counting window and the counter are essentially the same as deleting the event correlation operation that does the counting. From the SEC perspective, the next "KP TechFault" event would start a new counting operation anyway, with the counter initialized to 1. Therefore, I think the best way for addressing this task is a Single rule for matching "KP" event, and calling 'reset' action from this rule. A simple example ruleset could look like follows: type=SingleWithThreshold ptype=RegExp pattern=^KP TechFault$ desc=Ten KP TechFaults within 60 seconds action=write - %t: %s thresh=10 window=60 type=Single ptype=RegExp pattern=^KP$ desc=Resetting KP TechFaults counting action=write - %t: %s; reset -1 Ten KP TechFaults within 60 seconds The first parameter for 'reset' is the rule offset which can be relative or absolute. Relative offset -1 which we have used indicates that 'reset' works for operations started by the previous rule (SingleWithThreshold, that is). The second parameter is the operation description string -- it has to match the description string of the operation that will be cleared. In the case of the above example, first rule always starts one operation only (since the 'desc' field is constant and does not contain any variables), therefore the constant "Ten KP TechFaults within 60 seconds" is given for the second parameter of 'reset'. Note that it is safe to invoke 'reset' even if the corresponding operation is currently not running -- in this case, the operation search yields no results and 'reset' does nothing. hope this helps, risto > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity, and more. Splunk takes this > data and makes sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-novd2d > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
