Edge Delta Trace Processor
3 minute read
Overview
This processor is useful to track events that have a unique ID, as well as clear start and end logs.
IDs are typically dynamic fields, such as transaction IDs, trace ID, etc. Each event’s duration is tracked, and the average time (minimum and maximum) are emitted as metrics.
Anomalies are detected based on the average event duration, based on the history of average durations.
Example
traces:
- name: render-trace
start_pattern: "rendering job: (?P<ID>[0-9a-fA-F]{8}) started"
finish_pattern: "rendering job: (?P<ID>[0-9a-fA-F]{8}) finished"
trigger_thresholds:
max_duration: 50000 # 50 seconds
Parameters
name
Required
Enter a descriptive label for this processor. When you create a workflow, you will use this label to enter your processor into the workflow.
name: login-trace
start_pattern
Required
Enter a regular expression to match patterns in a string for a successful event.
start_pattern: "user (?P<ID>[0-9a-fA-F]{8}) logged in"
finish_pattern
Required
Enter a regular expression to match patterns in a string for a failed event.
finish_pattern: "user (?P<ID>[0-9a-fA-F]{8}) logged out"
interval
Optional
This parameter is a golang duration string that represents the reporting (or rollup) interval for the generated statistics.
The default value is 1m.
interval: 2m
retention
Optional
This parameter is a golang duration string that represents how far back the agent should look when generating anomaly scores.
The default value is 3h.
retention: 4h
trigger_thresholds
Optional
The trigger_thresholds parameter is a dictionary type that can specify certain child parameters with specific combinations of thresholds. When a threshold is reached a trigger destination (specified in the corresponding workflow) is notified.
processors:
<processor_type>:
- name: <processor_name>
pattern: <regex_pattern>
trigger_thresholds:
<trigger_threshold_parameter>: <integer>
The following thresholds can be configured for trace processors:
max_duration
The max_duration parameter sets the maximum amount of time that an event is allowed to take to complete. If the event does not complete in time the trigger condition is met. It is an integer specified in milliseconds.
anomaly_probability_percentage
The anomaly_probability_percentage parameter sets the threshold for a trigger based on the Edge Delta agent’s confidence that an event is an anomaly. The range is 0-100 where 100 is the highest confidence that an event is an anomaly. There is no default value. It is configured as an integer. See the example implementation in a dimension numeric capture processor.
upper_limit_per_interval
The upper_limit_per_interval parameter sets the maximum number of events within the reporting interval. A higher occurrence would trigger a notification for too many events. It is configured as an integer. See the example implementation in a simple keyword match processor.
lower_limit_per_interval
The lower_limit_per_interval parameter sets the minimum number of events within the reporting interval. A lower occurrence would trigger a notification for not enough events. It is configured as an integer. See the example implementation in a dimension counter processor.
consecutive
The consecutive parameter sets the minimum number of times a threshold must be triggered before an alert is issued. It requires another trigger_threshold parameter to be set for the processor. The default is zero. It is configured as an integer. See the example implementation in a simple keyword match processor.
filters
Optional
Enter an existing filter to add to this processor.
To learn how to create a filter, see Filters.
filters:
- extract_severity