You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We currently have some hourly aggregation event definitions for things like spike in AppLocker blocks or increase in WAF blocks by site where a static threshold value is configured. These alerts can be quite noisy as what is considered a 'normal' message count varies by time of day/weekday vs weekend etc.
This feels like a bit of a dirty workaround but if I could set threshold values from a lookup table, I could calculate and maintain average values via API and then have the event definition pull this value based on a static key or the value from one of the group-by fields to determine if an alert should be generated.
I guess a proper way to do this would be to have some kind of baselining ability built into the event definition feature. Using my example of Increase in WAF Blocks (based on message count):
Grab the current message count for the event definition time period based on the configured search query
Grab message counts for the same time period for each of the last X days and calculate an average
Use this average as the threshold to decide whether to trigger or not
Your Environment
Graylog Version: 5.2.7 Cloud
Operating System: Windows 11
Browser version: Edge
The text was updated successfully, but these errors were encountered:
It sounds like you just need to use the Percentage metric, rather than calculating off absolute values - are you able to achieve what you need using that, or are you perhaps blocked by UI as per #19372 ?
We currently have some hourly aggregation event definitions for things like spike in AppLocker blocks or increase in WAF blocks by site where a static threshold value is configured. These alerts can be quite noisy as what is considered a 'normal' message count varies by time of day/weekday vs weekend etc.
This feels like a bit of a dirty workaround but if I could set threshold values from a lookup table, I could calculate and maintain average values via API and then have the event definition pull this value based on a static key or the value from one of the group-by fields to determine if an alert should be generated.
I guess a proper way to do this would be to have some kind of baselining ability built into the event definition feature. Using my example of Increase in WAF Blocks (based on message count):
Your Environment
The text was updated successfully, but these errors were encountered: