Dear all,
How can I throttle the alerts by multiple field?
For example, I would like to throttle the alerts if and only if both "src_ip" "dst_IP" "msg" are matched in log1 and log3
log1. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
log2. src_ip=1.1.1.1 dst_ip=3.3.3.3 msg=attack1
log3. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
log4. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack2
My expected alert results are
alert1. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
alert2. src_ip=1.1.1.1 dst_ip=3.3.3.3 msg=attack1
alert3. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack2
BR
Victor
What I did to accomplish my variant of the starting question was to output an eval-field from the search that I used as throttle field.
| eval throttleId = a_field_from_the_search + "_" + another_field_in_the_search
Throttle expression was then: throttleId
The eval-field could use just about any logic, the threadstarter would possibly use the replace(X,Y,Z) function to strip out the log number.
Hi Victor,
When you create your alert, you should use an AND operator in your search string, for example I would use an IF statement to set a field, e.g. SendAlert, to a boolean value of 0 or 1, then from the results trigger an alert if SendAlert is equal to 1.
I hope this helps, if not, let me know and I'll come up with something else.
Hello aakwah,
Under "action option" in the alert item, can i put more than one field in "suppress results containing field value"?
BR
Victor
Hello,
Could you please elaborate more, as per my understanding you could make use of logical operator OR as per the following query:
(source=log1 src_ip=1.1.1.1) OR (source=log3 dst_ip="2.2.2.2")
Regards
It would actually be the AND logical operator, as stated in the question, if they both match.