Skip to content

Filters

Jump to bottom
craph edited this page Dec 12, 2020 · 1 revision

Filter

Process event, may create or delete events.

filter_change

This action will monitor a certain field and match if that field changes. The field must change with respect to the last event with the same query_key.

Parameters :

  • match : pattern to match tag
  • tag : tag used to generate new event on change
  • alert : dict used to generate new event on change
  • compare_key : key monitored to find change
  • query_key : key used to group type of event
  • ignore_null=True : ignore if compare_key is missing. If ignore_null if false, missing compare_key is a valid state
  • db_path=None : file path to store internal state. None means only RAM is used.

Example :

- name : filter_change
  match : my_log
  tag : my_alert
  alert : 
    title : The hostname change of status
    priority : 2
  compare_key : status
  query_key : hostname

if events are :

  • {"hostname":"foo.bar", "status":"on"}
  • {"hostname":"foo.bar", "status":"off"}

Then a new event will be created on second event

filter_date

This action performs a time parsing and allows to change the time format. Under the hook, it use Chronyk library so feel free refere about time format.

Parameters :

  • match : pattern to match tag
  • key : define the key to be parsed
  • format=None : define the output format of key's value. None means unix timestamps

Example :

- name : filter_date
  match : date

Event likes {"date":"Fri, 11 Dec 2020 08:30:13 +0000"} become {"date":1607675413}

It takes a date and convert it to timestamp

filter_remove_keys

This action remove one or more key in event.

Parameters :

  • match : pattern to match tag
  • keys : on string or a list of string to describe keys to be removed.

Example :

- name : filter_remove_keys
  match : date
  keys : 
    - A
    - B

Event likes {"A":1, "B":2, "C":3} become {"C":3}

### filter_retag

This action change the event's tag with a value in event or with a constant value.

Parameters :

  • match : pattern to match tag
  • value : New tag if key doesn't exist or if key=None
  • key=None: event value used to retag event. Use value parameter if missing

Example :

- name : filter_retag
  match : my_log
  value : generic_log
  key : source

If event looks like {"source":"auth", "data":"xxx"}, the new tag will be "auth". If event looks like {"data":"xxx"}, the new tag will be "generic_log".

### filter_frequency

This action matches when there are at least a certain number of events in a given time frame. This may be counted on a per-query_key basis.

Parameters :

  • match : pattern to match tag
  • tag : tag used to generate new event on change
  • alert : dict used to generate new event on change
  • num_events : match if number of event during the time frame if higher or equal to this value
  • timeframe : duration of the time windows in seconds
  • query_key=None : key used to group type of event
  • db_path=None : file path to store internal state. None means only RAM is used.

Example :

- name : filter_frequency
  match : my_log
  tag : my_alert
  alert : 
    title : The hostname change of status too often
    priority : 1
  query_key : hostname
  num_events : 10
  timeframe : 60

Sponsored by Spartan conseil

Clone this wiki locally