I’m trying to figure out if this is possible with the current alert conditions. I understand we can alert by count and we can alert by content but what if I want an alert after a field value has Y come in X number of times? (I’m not sure I understand the aggregate condition, an explanation would be appreciated)
In our environment, every updown cisco event, after going through a pipeline, gets a field added with the source and interface concatenated. That way we use quick values on a dashboard to check what interfaces may be acting up.
so lets say in the last 5 minutes the field “interface” has had the following values:
192.168.1.109-GE2/6
192.168.1.111-GE0/16
192.168.1.111-GE0/15
192.168.1.109-GE2/6
192.168.1.111-GE0/15
192.168.1.109-GE2/2
192.168.1.111-GE0/15
192.168.1.109-GE2/6
192.168.1.111-GE0/15
192.168.1.109-GE2/1
192.168.1.109-GE2/6
192.168.1.111-GE0/15
192.168.1.111-GE0/15
192.168.1.216-GE6/32
192.168.1.111-GE0/15
How can I get alerted if field “interface” gets a count of 5+ of the same value? so for the example above alerting me that “interface” has gone over the threshold with value “192.168.1.111-GE0/15” being logged more than 5 times within the last 5 minutes
In my system I use scripts to do this. I’ll have a stream that gets messages that say contain your interface field. Then I have an alert for an HTTP callback for any messages that come in the stream that sends to a server with a perl script that parses the POST information and does the alert logic from there.
After testing, the Aggregates plugin available on the marketplace made by cvtienhoven does work for this purpose thou it would be great to see it implemented within the alerts framework.
