Aggregation Event Definitions - Allow threshold value to be retrieved from lookup table on definition execution

[AnushanLingam]

We currently have some hourly aggregation event definitions for things like spike in AppLocker blocks or increase in WAF blocks by site where a static threshold value is configured. These alerts can be quite noisy as what is considered a 'normal' message count varies by time of day/weekday vs weekend etc.

This feels like a bit of a dirty workaround but if I could set threshold values from a lookup table, I could calculate and maintain average values via API and then have the event definition pull this value based on a static key or the value from one of the group-by fields to determine if an alert should be generated.

I guess a proper way to do this would be to have some kind of baselining ability built into the event definition feature. Using my example of Increase in WAF Blocks (based on message count):

1. Grab the current message count for the event definition time period based on the configured search query
2. Grab message counts for the same time period for each of the last X days and calculate an average
3. Use this average as the threshold to decide whether to trigger or not

Your Environment

• Graylog Version: 5.2.7 Cloud
• Operating System: Windows 11
• Browser version: Edge

[tellistone]

It sounds like you just need to use the Percentage metric, rather than calculating off absolute values - are you able to achieve what you need using that, or are you perhaps blocked by UI as per #19372 ?

[AnushanLingam]

I had a feeling I was overcomplicating it, let me have a play around with the percentage metric to see if it can do what I want, cheers!