The grouping-by() parser must have at minimum the following options defined:
key()
aggregate()
timeout()
The basic construct of the grouping-by() parser works as follows:
Does the message match the key() -----yes-----> has the trigger() condition been met or has the timeout() expired? -----yes-----> Does the context match having()? -----yes-----> Inject the aggregate() log message.
The following are options available to the grouping-by() parser with examples of the syntax:
key() - Specifies the key that every message must have in order to be added to the context to become aggregated.
Macros within the key must be in the following format: ${MACRO_NAME}
Example:
key("${MESSAGE}")
having() - Specifies a filter that is used to add log messages to the context if the condition is met/true.
Defining filters within having() can be done one of two ways:
Option 1 - having(message("This is an example message"))
In option 1 logs matching the message "This is an example message" will be added to the context of the grouping-by() parser aggregation.
Option 2 - having("${LEVEL_NUM}" == "5")
In option 2 logs that equal 5 for the Priority level will be added to the context of the grouping-by() parser aggregation.
aggregate() - Specifies the aggregate message that is sent when logs meet the criteria of the grouping-by() parser.
The following example sends a log message with the ${MESSAGE} as "Aggregate Message":
aggregate(value("MESSAGE" "Aggregate Message"))
timeout() - How long to wait for additional logs that may meet the criteria of the grouping-by() parser. When a new log message meets the criteria of the grouping-by() parser the timeout period is restarted.
grouping-by() parser examples:
The following grouping-by() parser example aggregates logs that have a Priority Level Number of "5" and sends the message "Aggregate Message":
parser p_grp_by {
grouping-by(
key("${LEVEL_NUM}")
having("${LEVEL_NUM}" == "5")
timeout(10)
aggregate(
value("MESSAGE" "Aggregate Message")
)
inject-mode("pass-through")
);
};
The following grouping-by() parser example aggregates logs that have a message of "This is a test message" and sends the message "Aggregate Message":
parser p_grp_by {
grouping-by(
key("${MESSAGE}")
having(message("This is a test message"))
timeout(10)
aggregate(
value("MESSAGE" "Aggregate Message")
)
inject-mode("pass-through")
);
};
The following grouping-by() parser example aggregates logs that have a program of "microsoft_event_reporting" and sends the message "Aggregate Message":
parser p_grp_by {
grouping-by(
key("${PROGRAM}")
having(program("microsoft_event_reporting"))
timeout(10)
aggregate(
value("MESSAGE" "Aggregate Message")
)
inject-mode("pass-through")
);
};
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center