Correlator metrics¶
The following metrics are specific for LogMan.io Correlator. Detections (also known as correlation rules) are based on the Correlator microservice.
Naming and tags in Grafana and InfluxDB
- Correlator metrics groups are under the
measurementtag. - Correlator metrics are only produced for the Correlator microservice (tag
appclass) and can be further filtered with the additional tagscorrelatorto isolate a single correlator, andhost. - Each individual metric (for example,
in) is a value in thefieldtag.
correlator.predicate¶
A counter metric that counts how many events went through the predicate section, or filter, of a detection. Each metric updates once per minute, so time interval refers to the period of about one minute.
in: Number events entering the predicate in the time interval.hit: Number events successfully matching the predicate (fulfilling the conditions of the filter) in the time interval.miss: Number events missing the predicate in the time interval (not fulfilling the conditions of the filter) and thus leaving the Correlator.error: Number of errors in the predicate in the time interval.
correlator.trigger¶
A counter metric that counts how many events went through the trigger section of the correlator. The trigger defines and carries out an action. Each metric updates once per minute, so time interval refers to the period of about one minute.
in: Number events entering the trigger in the time interval.out: Number events leaving the trigger in the time interval.error: Number of errors in the trigger in the time interval, should be equal toinminusout.