Edge Delta Suppress Processor

Overview

The Suppress Processor node is designed to manage and reduce redundant log data by suppressing logs with the same values for given key field paths when their count exceeds a specified threshold over a set interval.

• incoming_data_types: log
• outgoing_data_types: log

Example Configuration

nodes:
- name: suppress
  type: suppress
  key_field_paths:
    - attributes["foo"]
    - resource["host.name"]
  interval: 1m
  number_to_allow: 5

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: splunk_mapper

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

interval

The interval parameter specifies the duration over which logs are evaluated for suppression. It is a required field defined in a duration format, such as 1m for one minute.

nodes:
- name: suppress
  type: suppress
  interval: 1m
  number_to_allow: 5

number_to_allow

This parameter sets the threshold for how many logs are permitted from a given suppression bucket within the specified interval. If logs exceed this number, they will not pass until the interval resets. It is a required integer field.

nodes:
- name: suppress
  type: suppress
  interval: 1m
  number_to_allow: 5

key_field_paths

Defines a list of field paths that determine the suppression criteria. These fields form the key for the suppression bucket to which logs belong. It is required.

nodes:
- name: suppress
  type: suppress
  interval: 1m
  number_to_allow: 5
  key_field_paths:
    - attributes["foo"]
    - resource["host.name"]