Use Event Fields instead of Split fields

airbus-cyber / graylog-plugin-alert-wizard

Alert Wizard plugin for Graylog to manage the alert rules

Other

45 stars 7 forks source link

Use Event Fields instead of Split fields #101

Open frantz45 opened 1 year ago

frantz45 commented 1 year ago

When we created the LoggingAlert plugin we implemented split fields to merge/split alerts based on fields value because Graylog had no equivalent. But now Graylog allows to set Event Fields in en Event Definition and some of these fields can be choosen as primary keys to split alerts. We should POC this feature first to be sure it answers our purpose.

frantz45 commented 6 months ago

I think "Group-by" fields are sufficient