    Compare severity in mrl

    Olivier Kovacs

      Hello there.

      I'm sure this is easily done and that I'm not the first one asking, but I couldn't find an answer to my question.


      I have a rule I need to put in place where I have - amongst other things - to compare the severity of 2 events to only keep the highest one of the 2.

      I don't want to rely on huge blocks of if/then type logic and I'm not sure how I can do something like this:


      if ( $OLD.severity > $EV.severity) then {


      } else {




      (I have to admit I haven't tried the above...maybe it's that simple?!?)


      Would one of you know if there is an enumeration I can use, or a way to quantify the values for severity to be used for comparison in MRL code?


      Thanks a lot!


          Bertrand Imbert



          Does your 2 events are the same (same source, same monitor, same slots) with different severity?


          Do you have an example ?

            Olivier Kovacs

            Hi Bertrand.


            They are actually a bit different.

            We are trying to de-duplicate similar event.

            Example is when a host is unreachable.  It could be just a ping issue, it can also be a host being down (crashed or rebooted), ...


            We want to make sure that if we have multiple similar events, we only keep a new event if it has a higher severity.


            So, let's say DVL_PING is only a WARNING and comes in first, we want to also keep the HOST_DOWN which is a CRITICAL.

            However, if the HOST_DOWN is the first one to come in, we would just ignore/close the DVL_PING right away since it's similar in nature.


            All our logic for the de-duplication is in place, and I only need to add the severity check part - that's why I need to be able to compare them.


            Let me know if this is enough info.



              Bertrand Imbert



              For me in this case you should work with correlation rules.


              I'm in weekend yet but I will check Monday if I have a exemple for you