2 Replies Latest reply on Jul 28, 2010 12:22 PM by mezdem

    Feature request: Let "Time Interval" and "Timeout" filters optionally maintain separate counts for each individual host address

      Hi there,

      I've set up a rule in with several filters and actions, and this works fine. The rule works for several devices of the same type, but I'm trying to set an individual Time Interval filter for each device and I can't find out how to do this efficiently.

      As mentioned, the rule applies to several devices. If one of those devices starts spewing events, these are successfully filtered out by a "Time Interval" filter. However, this filter will also filter out any events from another device, even though that device has only sent one event.

      I'm now solving this by essentially duplicating the rule for each individual device and adding a specific filter to each rule matching only one individual device. While this works, it's not easy to manage: when I want to make a change I have to change many rules.

      In short: it would be great if the "Time Interval" and and "Timeout" filters have the option to "Maintain individual threshold counts for each host address", just like the "Threshold" filter has.

        • Re: Feature request: Let "Time Interval" and "Timeout" filters optionally maintain separate counts for each individual host address

          Replying to myself here... reading the documentation again, I realized my problem could be solved by using Dictionaries. The following script seems to do the job (warning, not really tested):

           

          function Main()
          {
              var threshold = 30; // suppress message processing time (in minutes)

              // make sure the dictionary exists by storing a dummy item
              Dictionaries.StoreItem("Systems", "init", "true");

              var t = new Date();
              var currentTime = Math.round(t.getTime()/1000);

              if (Dictionaries.ItemExists("Systems", Fields.VarPeerAddress))
              {
                  // Repeat message from this address

                  var alertSentTime = Dictionaries.GetItem("Systems", Fields.VarPeerAddress);
                  var elapsedMinutes = (currentTime - alertSentTime) / 60;
                  if (elapsedMinutes < threshold)
                  {
                      // Do not process any further because we've recently processed a message
                      // from this address

                      Fields.ActionQuit = 1000;
                      return "OK";
                  }
                  else
                  {
                      // Process anyway, because the most recently processed message from this
                      // address was some time ago

                      Dictionaries.StoreItem("Systems", Fields.VarPeerAddress, currentTime);
                      return "OK";
                  }
              }
              else
              {
                  // First message from this address

                  Dictionaries.StoreItem("Systems", Fields.VarPeerAddress, currentTime);
                  return "OK";
              }

              // can never get here
              return "ERROR";
          }