Filters—Thresholds

This page uses adding filters to an AI Engine Rule as an example. The names of windows and setting options vary slightly depending on where you are creating or modifying a filter.

The Thresholds tab appears on all Threshold AI Engine Rule block types. The threshold allows you to control when a log becomes an Event based on your selected criteria. In the example, the Bytes Out and Impacted Host Bytes Total boxes are examined in every log that meets this rule's overall criteria. If the sum of Bytes In = 50,000 or the sum of Impacted Host Bytes Total = 10,000 for all the logs within a 2 day, 1 hour and 19 minute time span, an Event is generated.

To define a threshold, complete the items on the Thresholds tab

1. Click Add.
2. Select a field from the menu and enter a Threshold value.
3. (Optional) If another Threshold is required, click Add.
4. Select one of the options:
   • Any threshold must be met
   • All thresholds must be met

5. Enter a Time Limit.
   The duration must be between 1 minute and 30 days.

   

   The duration begins from the time the first log appears that meets the threshold criteria. If the time limit is greater than 24 hours, significant system resources may be required. Consider setting the Runtime Priority to Low for such rules.

The total number of Events that are generated can be limited by how you define Event Suppression on the Settings tab of the AI Engine Rule Wizard Tabs.