[Simple-evcorr-users] multiple events

Mon, 12 Jan 2026 09:41:46 -0800 

Hi all,

I'm struggling with how `SingleWithThreshold` handles events that do not reach 
the threshold, and I'm hoping someone can point me in the right direction.

My goal is to correlate multiple interface up/down events into a single 
aggregated event.
I created a `SingleWithThreshold` rule that looks for three interface up/down 
events on the same host within one minute and generates a synthetic event such 
as: "multiple interfaces up/down on host H"
That part works fine.

The problem is what happens to individual interface events that do not trigger 
the threshold. These events are still consumed by the `SingleWithThreshold` 
rule and never reach any other rules.
I tried using a context followed by a `Suppress` rule, but then I end up with 
two individual up/down events followed by the aggregated event, which is not 
what I want.

What I would like is this behavior:
Input:
Host1 int1 up
Host1 int2 up
Host1 int3 up
Host2 int1 up

Output:
Multiple interfaces up/down on Host1
Host2 int1 up

In other words:
* If three up/down events occur on the same host within one minute, emit only 
the aggregated event and suppress the individual ones.
* If fewer than three occur, allow the individual events to be processed by 
other rules normally.

Conceptually, what I am trying to achieve is if a `SingleWithThreshold` rule 
does not reach its threshold, it should "release" the events it has ingested so 
far so they can be processed by other rules.

Below is my (failed) attempt:
type=SingleWithThreshold
ptype=RegExp
pattern=^(?<host>\S+) (?<if>\S+) (?:up|down)$
desc=multiple interfaces up/down on host $+{host}
action=event 0 %s; create SUPPRESS-IF-ON-HOST:$+{host} 60
window=60
thresh=2
continue=TakeNext

type=Suppress
ptype=RegExp
pattern=^(?<host>\S+) (?<if>\S+) (?:up|down)$
desc=$0
context=SUPPRESS-IF-ON-HOST:$+{host}


Any guidance on how to implement this correctly would be greatly appreciated.

Thanks,
Eli


_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users






















					Reply via email to