c8y3
commented
3 years ago Here are some raw ideas on how we could do that. The pipeline function would be set on a stream to compute a new field (what is currently called the "alert identifier"). It would take every new incoming message in the stream and check if there is a previous message in the same stream with an already computed alert identifier. If no message is found, it would compute a new identifier, otherwise it would keep the identifier found on the other message. Moreover, so called "split field" (maybe we should rather call them "aggregation field"), would help refine the search even more: only messages in the time window, with the same value of their aggregation fields would be considered during a search.
A totally different alternative could be to add a new kind of custom field to be used in the events definition.
The architecture of this plugin is too complex. The aggregation functionnality should be put in another plugin (a pipeline function for example).