I have a couple of questions. I just want to ask, first, my situation is that I have an
Event(to avoid confusion lets say that event named AGENT) which has a timestamp in epoch format, and I want to compare it with an Event
which stands for a downtime and has a start and end timestamp epoch, to see if the
Event is within the interval of the start and end timestamp epoch of the downtime.
My first question is, can somebody explain to me why my start and end values are null
in my graylog rules when i test ? I can’t figure out the solution or find the problem
with that.
My Second question is, when I write something into my Dynamic Lookup Table(DLT), and do a lookup
after that, the last two entires that I wrote previously are provided to me right ?
Is there an efficient way to use a while loop or any loop to check if the event
timestamp is ever within the interval of the start and end times i’ve ever written into the DLT ?
This Event(AGENT) does not happen frequently, but the downtime start and end times occur quite often during the day, And i want to write every start and end times into the DLT.
I would appreciate an answer, if someone could help me please !
Answer to Your First Question:
The starttime and endtime fields are null because the lookup is not returning any values. There are a few potential reasons for this: Key Mismatch: Ensure that the keys you are using in the lookup exactly match the keys in your lookup table. Data Availability: Make sure the data is actually present in the lookup table for the given keys. Correct Data Adapter: Verify that the data adapter is correctly configured and associated with the lookup table
Answer to Your Second Question:
To efficiently check if an event timestamp is within the interval of start and end times in your Dynamic Lookup Table (DLT), you can use a pipeline rule with a loop.
like this
rule "Check Event Within Interval"
when
has_field("event_timestamp")
then
let event_time = parse_date($message.event_timestamp);
let start_times = lookup("downtime", "start_times_key");
let end_times = lookup("downtime", "end_times_key");
// Assuming start_times and end_times are lists
for (let i = 0; i < length(start_times); i++) {
let start_time = parse_date(start_times[i]);
let end_time = parse_date(end_times[i]);
if (event_time >= start_time && event_time <= end_time) {
set_field("event_within_downtime", true);
break;
} else {
set_field("event_within_downtime", false);
}
}
end
thank you very much for your reply ! I’m gonna have a look at that. Yes I try to figure out whats the problem with the adding the value to the lookup table.
