Is it possible to define a severity level to an eventtype without using a lookup table? The purpose would be so that, when I run a single, generic searches that provides the ability to report/alert on multiple of these eventtypes, I can differentiate between the severity of each.
Currently, the search looks something like this:
index=myindex source=thisone eventtype=eventtype* | stats count by host eventtype
The results would look like this (in csv)
Through some method, there'd be an eventtype -> severity mapping like this:
index=myindex source=thisone eventtype=eventtype* | stats count by host eventtype severity
The results would look like this (in csv)
Short of creating a separate lookup table (which is definitely possible, it would just be more complicated operational process to update), what's the best method for creating that mapping? For example, I was hoping it might be possible to use tags for this. For example, I know you can't assign values to tags (e.g. tag::severity=5), but I thought we might be able to create hierarchical tags (e.g. tag::severity::5).
I am unclear why you are avoiding a lookup table. You could create your table as a simple two column csv and have it auto lookup based on the event type value. And if you put this all in an "app" that you send through deployment server you have to only maintain it all in one spot. If you ever get into the TAs for the enterprise security or pci app you will find this is how they function. Make a lookup table leveraged by the sourcetype, define eventtypes, maybe assign tags based on eventtype but tags are not what you need here. The auto lookup is.
severity.csv in your lookups folder
eventtype,severity
eventtype1,5
eventtype2,4
eventtype3,4
eventtype4,2
add an eventtypes.conf
[eventtype1]
search = index=myindex source=thisone somethingthatmeansthistype
[eventtype2]
search = index=myindex source=thisone somethingelsethatmeansthistype
[eventtype3]
search = index=myindex source=thisone anothersomethingelsethatmeansthistype
edit your props.conf
adding an automatic lookup definition.
LOOKUP-severity_from_eventtype = eventseveritylookup eventtype OUTPUT severity
edit your transforms.conf
[eventseverirtylookup]
filename = severity.csv
... That's not to say that isn't workable, I was just hoping for a way this would be possible without going there.
Hope that explains things a little better. Thanks for your help though!
The reason for the aversion to lookup tables is how this would be supported operationally. Our list of eventtypes is a constantly growing list with contributions coming from multiple different teams.
Using lookup tables means the tables need to be manually updated every time a new eventtype is created. Since there doesn't exist (AFAICT) a way to edit lookup tables through the UI, these edits would need to either a) happen on the search heads, or b) remotely, then have the updated file pushed to the search heads. Either way, that sounds like a fair amount of overhead...