A threshold rule is defined by the threshold pattern. It collects a group of selected events within a time interval and determines, after each event is received, whether a threshold condition has been met. It is a stateful rule.
The threshold pattern collects events over a time period until a threshold value is met. The time period is indicated by a mandatory time window, as defined by the <timeWindow> element in the rule language.
This type of threshold can be useful for a very simple event count check. For example, it can answer the question: "Have 5 login failure events occurred within 1 minute?"
event reception time + time interval duration for rule > current timeWhen no such event exists, the sliding interval cannot adjust the time any further, and the interval ends.
Therefore, a complex computation can be applied to create (or update) a computed threshold value, possibly using data that is saved from previous events, and the rule writer can set the defined threshold value independently of the logic that calculates the computed threshold value.
This type of threshold can be useful for the aggregation and comparison of a value to a defined threshold value. For example, it can be used to calculate the sum of the dollar amount of sales to a certain customer over a certain period of time and to compare that sum to a defined threshold value.
This threshold is defined by the <computedThreshold> element.
This type of threshold can be useful for checking a range of values. For example, if CPU utilization must be between 30% and 80% at all times, this threshold can constantly verify that the utilization remains within that range.
This threshold is defined by the <booleanThreshold> element.
If more than 4 Server unreachable events originate from the same subnetwork within a sliding time interval of 30 seconds, the rule runs an action to check the status of a router.