New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AtomFilterMatchAction YAML support #1063
Comments
Could you please specify how this config looks in python? It should be possible to use all MatchRules in the yaml configs.
Is this the use case you need? |
I do not think the example you provide covers the required case as it does not contain any match actions. I was able to achieve the desired result in python config as follows:
The log file:
The value match ensures that only the values of the /model/second path are learned where the /model/first path has a value of "b". Log events where the /model/first is "a" (or any other value than "b") are not analyzed by the value detector, which is exactly what I want. This is also reflected in the output and persistency of the value detector (the path detector does not matter for this use-case):
|
I should add that I had to use the allowlist detector with an empty list for event handlers, which is maybe not ideal. We could also consider adding a new detector that only has the purpose to trigger rule matches and connected match actions. |
Thank you for preparing such a great code example! Therefore I have created the same config within yaml:
This produces exactly the same output like you have posted. (in the new branch) |
Thanks, looks good! I noticed that the default value for the delete_components parameter is False. Is it correct that if this parameter is False, we will get an anomaly as usual from the value detector for all new values in /model/second, and then we get another anomaly for the new values if the value match rule triggers the match action? So we would have the anomalies twice in case that /model/first="b"? Because in this case, I would say that the default value of delete_components should be True, because if we use a match rule then usually we want to achieve that only anomalies are generated if the match rule triggers, and otherwise not. Also, please update the documentation in the CONFIGURATION.rst to include the new parameter and functionality, maybe also add the relevant lines of the configuration as an example. |
Yes, that's how it works. Okay I will update the value to True and add the Documentation. |
Ok, thanks! |
I have changed the default value and added Documentation for all MatchActions. |
There should be a way to use a MatchRule so that only logs that match are forwarded to a specific detector, using the AtomFilterMatchAction. This can be done in python configs, but not in yaml configs. Also, tests and documentation is missing.
The text was updated successfully, but these errors were encountered: