Filters—Expressions
The Expressions tab appears on the Statistical and Trend AI Engine Rule blocks only. It is used to specify one or more Expressions for evaluation. If more than one expression is defined, Boolean expressions can be used to combine the logic.
- For Statistical Rules, the expressions are typically thresholds on the selected Data Fields. This lets you combine several numeric or unique values criteria in a single block. You can also compare values from different fields. For example, you could determine whether the Bytes Out traffic exceeds the Bytes In traffic by a certain factor on a set of servers, possibly indicating an attack or error.
- For Trend Rules, the expressions are typically comparisons between corresponding values (or rates of values) from the Live and the Trend Baseline data, such as Log Count, numeric values, and unique value counts. It is also possible to qualify the firing of a rule based on a specific threshold against a single field in either the Live or Baseline or both. For example, you may want to trigger a rule when the Live Log Count exceeds the Baseline Log Count by a given multiple, but not if the Baseline was below a low value.
To select or build expressions
- To open the Expression Selector, click Add.
The Expression Selector consists of the Available Expressions pane and the Selected Expression Details.- In the Available Expressions pane, the list of the expressions that are available based on the fields selected in the Data Fields appear. Unavailable expressions are dimmed. Select the Show Advanced Expressions check box to reveal the Advanced Expressions in the List. Select the Show All Expressions check box to reveal all the expressions including the ones that are not based on the Data Fields selected.
- In the Selected Expression Details, the detail is provided for each Expression Type. After an Expression is selected, the Arguments, Descriptions, and When to use explanations are provided.
- To open the Expression Builder, double-click the Expression type or highlight an expression, and then click OK.
The Expression Builder appears. Each expression builder is unique based on the Expression chosen. Options for the Field(s), Values, Operator, Multiple, Rates, and/or Offset appear. Each option lets you select from the list of available data. Use the following descriptions and formulas for guidance building expressions.
| Name | Description | Formula |
|---|---|---|
| Count | ||
Log Count Comparison | Compare the log count in the current period to the trend log count, with optional multiple and offset. | live:Count Operator (Multiple * baseline:Count) + Offset
|
Log Count Threshold | Compare the log count of a source to a threshold. | Field Operator Threshold |
| Sum | ||
Sum Comparison | Compare the sum of a quantitative value observed in a field to another, with optional multiple and offset. | Sum(Field1) Operator (Multiple * Sum(Field2)) + Offset
|
Sum Threshold | Compare the sum of quantitative values observed in a field to a fixed threshold. | Sum(Field) Operator Threshold
|
| Average | ||
Average Comparison | Compare the average of a quantitative value observed in a field to another, with optional multiple and offset. | Average(Field1) Operator (Multiple * Average(Field2)) + Offset
|
Average Threshold | Compare the average of quantitative values observed in a field to a fixed threshold. | Average(Field) Operator Threshold
|
| Rate | ||
Log Rate Comparison | Compare the rate of logs observed in live to the baseline, with optional multiple and offset. | Rate(Field1) Operator (Multiple * Rate(Field2)) + Offset [in Logs/{basis}]
|
Log Rate Threshold | Compare the rate of logs observed to a fixed threshold. | Rate(Field) Operator Threshold
|
Value Rate Comparison | Compare the rate of a quantitative value observed in a field to the rate of another field, with optional multiple and offset. | Rate(Field1) Operator (Multiple * Rate(Field2)) + Offset
|
Value Rate Threshold | Compare the rate of quantitative values observed in a field to a fixed threshold. | Rate(Field) Operator Threshold |
| Outliers | ||
Standard Deviation Comparison | Compare the Standard Deviation of quantitative values observed in a field to that of another, with optional multiple and offset. | StdDev(Field1) Operator (Multiple * StdDev(Field2)) + Offset |
Nth Percentile Comparison | Normalize one field Average by the Average and Standard Deviation of another, then compare against lower/upper percentile threshold to detect outliers. | NthPercentileCompare (Average(Field1, Field2, Low, High)
|
| Histogram | ||
Unique Value Count Comparison | Compare the count of unique non-empty values observed in a key field to another, with optional multiple and offset. | UniqueCount(Field1) Operator (Multiple * UniqueCount(Field2)) + Offset
|
Unique Value Count Threshold | Compare the count of unique non-empty values observed in a key field to a fixed threshold. | UniqueCount(Field) Operator Threshold |
Unique Value Similarity | Compare the histograms of two non-numeric fields (of the same data type), and determine how similar they are based on the values contained. | HistogramSimilarity(Field1, Field2) Operator Threshold |
| Advanced | ||
Group By Field Equality | Compare one Group By field to another of the same data type, usually in the same block. | Field1 Operator Field2
|
| Normalized Numeric Value Comparison | Compare a numeric field value to a normalized numeric field. | Value1 Operator Value2/Normalizer |
| Normalized Numeric Value Rate Comparison | Compare a numeric field value rate to a normalized numeric field rate. | Rate(Value1) Operator Rate(Value2/Normalizer) where Rate(Value) = Value/Duration |
Numeric Value Comparison | Compare one numeric field value to another, with optional multiple and offset. | Value1 Operator (Multiple * Value2+) + Offset |
| Numeric Value Threshold | Compare a numeric field value to a fixed threshold. | Value Operator Threshold |
Numeric Value Rate Comparison | Compare one numeric field value rate to another, with optional multiple and offset. | Rate(Value1) Operator (Multiple * (Rate(Value2)) + Offset where Rate(Value) = Value/Duration |
Numeric Value Rate Threshold
| Compare a numeric field value rate to a fixed threshold. | Rate(Value) Operator Threshold where Rate(Value) = Value/Duration |