5 Replies Latest reply on Feb 13, 2019 8:40 AM by Olivier Kovacs

    Compare severity in mrl

    Olivier Kovacs

      Hello there.

      I'm sure this is easily done and that I'm not the first one asking, but I couldn't find an answer to my question.

       

      I have a rule I need to put in place where I have - amongst other things - to compare the severity of 2 events to only keep the highest one of the 2.

      I don't want to rely on huge blocks of if/then type logic and I'm not sure how I can do something like this:

       

      if ( $OLD.severity > $EV.severity) then {

           ...

      } else {

           ...

      }

       

      (I have to admit I haven't tried the above...maybe it's that simple?!?)

       

      Would one of you know if there is an enumeration I can use, or a way to quantify the values for severity to be used for comparison in MRL code?

       

      Thanks a lot!

      Olivier

        • 1. Re: Compare severity in mrl
          Bertrand Imbert

          Hello

           

          Does your 2 events are the same (same source, same monitor, same slots) with different severity?

           

          Do you have an example ?

          • 2. Re: Compare severity in mrl
            Olivier Kovacs

            Hi Bertrand.

             

            They are actually a bit different.

            We are trying to de-duplicate similar event.

            Example is when a host is unreachable.  It could be just a ping issue, it can also be a host being down (crashed or rebooted), ...

             

            We want to make sure that if we have multiple similar events, we only keep a new event if it has a higher severity.

             

            So, let's say DVL_PING is only a WARNING and comes in first, we want to also keep the HOST_DOWN which is a CRITICAL.

            However, if the HOST_DOWN is the first one to come in, we would just ignore/close the DVL_PING right away since it's similar in nature.

             

            All our logic for the de-duplication is in place, and I only need to add the severity check part - that's why I need to be able to compare them.

             

            Let me know if this is enough info.

             

            Olivier

            • 3. Re: Compare severity in mrl
              Bertrand Imbert

              Hi

               

              For me in this case you should work with correlation rules.

               

              I'm in weekend yet but I will check Monday if I have a exemple for you

              • 4. Re: Compare severity in mrl
                Kaushik KM

                Hi Olivier Kovacs,

                 

                You already have the answer in your question.

                Yes i believe that will work since you are comparing both SEVERITY slots and their definition is an enumeration type , also i see the below example in the reg guide to compare.

                =============================================

                </2 - smaller_than /2 - less_than /2 example

                 

                MINOR < $E.severity

                ================================================

                Hope you have already tested it. let us know if it had already worked for you.

                Thanks,

                Kaushik KM

                1 of 1 people found this helpful
                • 5. Re: Compare severity in mrl
                  Olivier Kovacs

                  Indeed, I was able to implement my solution using "greater_or_equals" operator. 

                  $OLD.Severity greater_or_equals $EV.Severity

                  So, I presume the other comparison operators also work.

                   

                  Thanks all foryour help!

                  1 of 1 people found this helpful