Feature request: Let "Time Interval" and "Timeout" filters optionally maintain separate counts for each individual host address

Hi there,

I've set up a rule in with several filters and actions, and this works fine. The rule works for several devices of the same type, but I'm trying to set an individual Time Interval filter for each device and I can't find out how to do this efficiently.

As mentioned, the rule applies to several devices. If one of those devices starts spewing events, these are successfully filtered out by a "Time Interval" filter. However, this filter will also filter out any events from another device, even though that device has only sent one event.

I'm now solving this by essentially duplicating the rule for each individual device and adding a specific filter to each rule matching only one individual device. While this works, it's not easy to manage: when I want to make a change I have to change many rules.

In short: it would be great if the "Time Interval" and and "Timeout" filters have the option to "Maintain individual threshold counts for each host address", just like the "Threshold" filter has.

Find more posts tagged with

future_enhancements

kiwi_syslog_server

feature_request

kiwi_syslog_9.03

Accepted answers

jurjen

Replying to myself here... reading the documentation again, I realized my problem could be solved by using Dictionaries. The following script seems to do the job (warning, not really tested):

All comments

jurjen

Replying to myself here... reading the documentation again, I realized my problem could be solved by using Dictionaries. The following script seems to do the job (warning, not really tested):

mezdem

Hi there, could you let me know if this worked? I am desperatly trying to limit the number of duplicate messages per host sent from syslog server to Orion..

Can you let me know how to impliment this as I am not sure I can find anything relating to dictionaries on my version...