Skip to main content
Version: 3.7.0

Event-Based Rules

Prerequisites

  • Metric-based (including availability-based) and event-based alert rules differ fundamentally in their data characteristics: metrics are continuously reported time-series data reflecting the status trends of systems or services, while events are instantaneously triggered discrete data recording anomalies or actions at specific points in time. This fundamental difference in data nature dictates that these two types of rules require completely distinct design systems in terms of detection logic, configuration methods, and response mechanisms.
  • This document focuses on explaining the differences in configuring metric-based and event-based rules.

bc4d885d97094273abafc485f15901ea.png

Event Type

  • Refers to the specific type of event, such as process startup, host reboot, etc., consistent with the event types listed in the Event Center.
  • You can selectively configure rules for specific event types.

Filter Conditions

1fdb5f46b99945a58998a81cb86a9dbb.png

  • Supports filtering by standard attributes, extended attributes, and entity attributes.
  • Standard Attributes include event severity, anomaly category, description, event status, data source, and source details.
  • Extended Attributes refer to the extended properties within the event metadata, allowing users to quickly filter based on event-related attributes.
  • Entity Attribute Filtering supports filtering by all entity attributes. However, note that the selected entity type must match the primary entity of the event type; otherwise, the filter conditions will not take effect.

Alert Severity

f4dc5673507f4ef199b7b994b61b201d.png

  • If 【Original Severity】 is selected, the severity of the original event is directly used as the severity of the generated detection event and alert. If 【Custom Severity】 is selected, one of the five predefined severity levels must be chosen, and the detection events and alerts generated by the event rule will adopt the user-configured severity level.
  • Special Note: For multiple events, the highest severity among the original events will be directly used as the severity of the detection event and alert.

Multiple Events

  • Multiple Events refer to the configuration of multiple events together, with support for up to 5 event detection conditions. The relationship between these events is logical OR.
  • The event type and filter conditions within each detection condition are independent and do not affect each other. An alert will be generated as long as any one of the trigger conditions is met.