3 Replies Latest reply on Jul 13, 2018 1:57 PM by Bertrand Imbert

    Compare severity in mrl

    Olivier Kovacs

      Hello there.

      I'm sure this is easily done and that I'm not the first one asking, but I couldn't find an answer to my question.


      I have a rule I need to put in place where I have - amongst other things - to compare the severity of 2 events to only keep the highest one of the 2.

      I don't want to rely on huge blocks of if/then type logic and I'm not sure how I can do something like this:


      if ( $OLD.severity > $EV.severity) then {


      } else {




      (I have to admit I haven't tried the above...maybe it's that simple?!?)


      Would one of you know if there is an enumeration I can use, or a way to quantify the values for severity to be used for comparison in MRL code?


      Thanks a lot!


        • 1. Re: Compare severity in mrl
          Bertrand Imbert



          Does your 2 events are the same (same source, same monitor, same slots) with different severity?


          Do you have an example ?

          • 2. Re: Compare severity in mrl
            Olivier Kovacs

            Hi Bertrand.


            They are actually a bit different.

            We are trying to de-duplicate similar event.

            Example is when a host is unreachable.  It could be just a ping issue, it can also be a host being down (crashed or rebooted), ...


            We want to make sure that if we have multiple similar events, we only keep a new event if it has a higher severity.


            So, let's say DVL_PING is only a WARNING and comes in first, we want to also keep the HOST_DOWN which is a CRITICAL.

            However, if the HOST_DOWN is the first one to come in, we would just ignore/close the DVL_PING right away since it's similar in nature.


            All our logic for the de-duplication is in place, and I only need to add the severity check part - that's why I need to be able to compare them.


            Let me know if this is enough info.



            • 3. Re: Compare severity in mrl
              Bertrand Imbert



              For me in this case you should work with correlation rules.


              I'm in weekend yet but I will check Monday if I have a exemple for you