5 Replies Latest reply on Feb 13, 2019 8:40 AM by Olivier Kovacs

    Compare severity in mrl

    Olivier Kovacs

      Hello there.

      I'm sure this is easily done and that I'm not the first one asking, but I couldn't find an answer to my question.


      I have a rule I need to put in place where I have - amongst other things - to compare the severity of 2 events to only keep the highest one of the 2.

      I don't want to rely on huge blocks of if/then type logic and I'm not sure how I can do something like this:


      if ( $OLD.severity > $EV.severity) then {


      } else {




      (I have to admit I haven't tried the above...maybe it's that simple?!?)


      Would one of you know if there is an enumeration I can use, or a way to quantify the values for severity to be used for comparison in MRL code?


      Thanks a lot!


        • 1. Re: Compare severity in mrl
          Bertrand Imbert



          Does your 2 events are the same (same source, same monitor, same slots) with different severity?


          Do you have an example ?

          • 2. Re: Compare severity in mrl
            Olivier Kovacs

            Hi Bertrand.


            They are actually a bit different.

            We are trying to de-duplicate similar event.

            Example is when a host is unreachable.  It could be just a ping issue, it can also be a host being down (crashed or rebooted), ...


            We want to make sure that if we have multiple similar events, we only keep a new event if it has a higher severity.


            So, let's say DVL_PING is only a WARNING and comes in first, we want to also keep the HOST_DOWN which is a CRITICAL.

            However, if the HOST_DOWN is the first one to come in, we would just ignore/close the DVL_PING right away since it's similar in nature.


            All our logic for the de-duplication is in place, and I only need to add the severity check part - that's why I need to be able to compare them.


            Let me know if this is enough info.



            • 3. Re: Compare severity in mrl
              Bertrand Imbert



              For me in this case you should work with correlation rules.


              I'm in weekend yet but I will check Monday if I have a exemple for you

              • 4. Re: Compare severity in mrl
                Kaushik KM

                Hi Olivier Kovacs,


                You already have the answer in your question.

                Yes i believe that will work since you are comparing both SEVERITY slots and their definition is an enumeration type , also i see the below example in the reg guide to compare.


                </2 - smaller_than /2 - less_than /2 example


                MINOR < $E.severity


                Hope you have already tested it. let us know if it had already worked for you.


                Kaushik KM

                1 of 1 people found this helpful
                • 5. Re: Compare severity in mrl
                  Olivier Kovacs

                  Indeed, I was able to implement my solution using "greater_or_equals" operator. 

                  $OLD.Severity greater_or_equals $EV.Severity

                  So, I presume the other comparison operators also work.


                  Thanks all foryour help!

                  1 of 1 people found this helpful