Ability to specify when a filter/aggregation event is evaluated

patrickmann commented 2 years ago

What?

Add an optional evaluation time-of-day field to the filter/aggregation definition.

Default is the event creation time
Event evaluation is scheduled at this time, instead of implicitly at the creation time.
Field needs to be persisted so it can be included in content packs

Why?

The definition of a filter/aggregation event includes the frequency at which it is evaluated. However, you cannot specify when to start, i.e. at what time the filter/aggregation conditions will be evaluated. We simply start evaluation as soon as the event is defined.

This behavior makes it difficult to e.g. ensure correlated events are run in a specific order. In particular: when events are defined via a content pack, they are essentially all created at the same time.

Your Environment

Graylog Version: 4.3

coffee-squirrel commented 2 years ago

It'd be nice if this also covered expressing when the event definition applies / is active. We have some cases where the day and time matter (severity, etc.), and are currently falling back to pipelines to implement that logic; it'd be nice to eliminate that stuff in favor of something like a cron expression on the event definition.

patrickmann commented 6 months ago

Another customer request for this feature: https://github.com/Graylog2/support/issues/46

Graylog2 / graylog2-server