3 Replies Latest reply on Jul 13, 2018 1:57 PM by Bertrand Imbert

    Compare severity in mrl

    Olivier Kovacs

      Hello there.

      I'm sure this is easily done and that I'm not the first one asking, but I couldn't find an answer to my question.

       

      I have a rule I need to put in place where I have - amongst other things - to compare the severity of 2 events to only keep the highest one of the 2.

      I don't want to rely on huge blocks of if/then type logic and I'm not sure how I can do something like this:

       

      if ( $OLD.severity > $EV.severity) then {

           ...

      } else {

           ...

      }

       

      (I have to admit I haven't tried the above...maybe it's that simple?!?)

       

      Would one of you know if there is an enumeration I can use, or a way to quantify the values for severity to be used for comparison in MRL code?

       

      Thanks a lot!

      Olivier

        • 1. Re: Compare severity in mrl
          Bertrand Imbert

          Hello

           

          Does your 2 events are the same (same source, same monitor, same slots) with different severity?

           

          Do you have an example ?

          • 2. Re: Compare severity in mrl
            Olivier Kovacs

            Hi Bertrand.

             

            They are actually a bit different.

            We are trying to de-duplicate similar event.

            Example is when a host is unreachable.  It could be just a ping issue, it can also be a host being down (crashed or rebooted), ...

             

            We want to make sure that if we have multiple similar events, we only keep a new event if it has a higher severity.

             

            So, let's say DVL_PING is only a WARNING and comes in first, we want to also keep the HOST_DOWN which is a CRITICAL.

            However, if the HOST_DOWN is the first one to come in, we would just ignore/close the DVL_PING right away since it's similar in nature.

             

            All our logic for the de-duplication is in place, and I only need to add the severity check part - that's why I need to be able to compare them.

             

            Let me know if this is enough info.

             

            Olivier

            • 3. Re: Compare severity in mrl
              Bertrand Imbert

              Hi

               

              For me in this case you should work with correlation rules.

               

              I'm in weekend yet but I will check Monday if I have a exemple for you