Ability to specify when a filter/aggregation event is evaluated

[patrickmann]

What?

Add an optional evaluation time-of-day field to the filter/aggregation definition.

• Default is the event creation time
• Event evaluation is scheduled at this time, instead of implicitly at the creation time.
• Field needs to be persisted so it can be included in content packs

Why?

The definition of a filter/aggregation event includes the frequency at which it is evaluated. However, you cannot specify when to start, i.e. at what time the filter/aggregation conditions will be evaluated. We simply start evaluation as soon as the event is defined.

This behavior makes it difficult to e.g. ensure correlated events are run in a specific order. In particular: when events are defined via a content pack, they are essentially all created at the same time.

Your Environment

• Graylog Version: 4.3

[coffee-squirrel]

It'd be nice if this also covered expressing when the event definition applies / is active. We have some cases where the day and time matter (severity, etc.), and are currently falling back to pipelines to implement that logic; it'd be nice to eliminate that stuff in favor of something like a cron expression on the event definition.