- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How can I throttle the alerts by multiple fiel...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I throttle the alerts by multiple field?
Dear all,
How can I throttle the alerts by multiple field?
For example, I would like to throttle the alerts if and only if both "src_ip" "dst_IP" "msg" are matched in log1 and log3
log1. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
log2. src_ip=1.1.1.1 dst_ip=3.3.3.3 msg=attack1
log3. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
log4. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack2
My expected alert results are
alert1. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack1
alert2. src_ip=1.1.1.1 dst_ip=3.3.3.3 msg=attack1
alert3. src_ip=1.1.1.1 dst_ip=2.2.2.2 msg=attack2
BR
Victor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I did to accomplish my variant of the starting question was to output an eval-field from the search that I used as throttle field.
| eval throttleId = a_field_from_the_search + "_" + another_field_in_the_search
Throttle expression was then: throttleId
The eval-field could use just about any logic, the threadstarter would possibly use the replace(X,Y,Z) function to strip out the log number.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Victor,
When you create your alert, you should use an AND operator in your search string, for example I would use an IF statement to set a field, e.g. SendAlert, to a boolean value of 0 or 1, then from the results trigger an alert if SendAlert is equal to 1.
I hope this helps, if not, let me know and I'll come up with something else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello aakwah,
Under "action option" in the alert item, can i put more than one field in "suppress results containing field value"?
BR
Victor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Could you please elaborate more, as per my understanding you could make use of logical operator OR as per the following query:
(source=log1 src_ip=1.1.1.1) OR (source=log3 dst_ip="2.2.2.2")
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would actually be the AND logical operator, as stated in the question, if they both match.
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
