Basic Statistics Filter

package ecs_stats

Definition

Description

If event matches Condition, for each unique value of FieldName calculate the minimum, maximum, average, count, sum, and standard deviation from the data values in FieldNameand assign them to standard fields in the in the event. Reset the statistics for each unique value of fieldname every TimeInterval.

 

 

Comments

The statistics are computed in real-time WITHOUT storing the individual sample data values.

If the FieldName for the data values is empty, missing, or blank, the filter is disabled.

If the data value is a non-numeric string, then its value is assumed to be zero.

If the data value is a mixed string starting with a number (e.g. 450.3 * kb/sec), then only the number in the beginning is considered for determining the data value.

The TimeInterval starts when each unique value of FieldName is created.

The statistics are restarted fresh with the beginning of each ECS process run.

The cumulative statistics for each unique value of FieldName are assigned to the following event fields.

If these event fields already exist, then they are overwritten.

ev:stats.min
ev:stats.max
ev:stats.ave
ev:stats.count
ev:stats.sum
ev:stats.std

 

Example

<filter objectId="stats1" type="BasicStatisticsFilter">
	<parameter autoSetDescription="true" comments="Add comments for Condition..." description="Match all Events" type="Condition">
		<negatePrimaryCondition>false</negatePrimaryCondition>
		<conditionRelation>All</conditionRelation>
	</parameter>
	<parameter type="FieldName">ev:host</parameter>
	<parameter type="FieldName">ev:val</parameter>
	<parameter type="TimeInterval">
		<time>10</time>
		<units>sec</units>
	</parameter>
</filter>