xinY

A workflow function that returns True if X events for an alert have occurred in the last Y seconds, and False if not. You can use this function to handle the behavior of "noisy" or "flooding" alerts.

The X-in-Y count is a floating-rate calculation that updates whenever the function processes a new duplicate event. The X count does not include the initial event that created the alert.

This function is available as a feature of the Add-ons v2.3.5 download and later.

This function is available for event workflows only.

Back to Workflow Engine Functions Reference.

Note

This function uses in-memory caching. To reduce memory consumption on the Workflow Engine host, it is good practice to do the following:

  • Include an event filter before this function to ensure that it processes relevant events only.

  • The corresponding xinyClose action must be implemented on an Alerts closure to remove the in-memory cache for the alert.

The constants cache is configured to persist between the primary and secondary moogfarmd instances. If both moogfarmd processes are stopped, existing cached data will be lost and the XinY calculation will start from the next deduplication event received for the alert.

Arguments

Workflow Engine function workflowEngineFunction takes the following arguments:

Name

Required

Type

Description

eventCount

Yes

Integer

X value —The number of events received for the alert.

seconds

Yes

Integer

Y value — If X events were received in the last Y seconds, return True.

Example

The following example demonstrates a typical use of Workflow Engine function workflowEngineFunction.

You have an alert with a known flood condition. You can create a workflow that discards events whenever the XinY threshold has been reached. The workflow would look like this:

  1. Entry filter — Define the events of interest for this workflow.

  2. xinY function — Check if 5 events (X value) have arrived in the past 60 seconds (Y value)

  3. setCustomInfoValue function — If the X-in-Y threshold has been reached, copy the data to the event custom info:

    • key = xiny

    • value = $(workflowContext.xiny)

  4. copyFromEventToAlert — fields = ["xiny"]

  5. dropEvent — Forwarding behavior = stop all workflows

Once the workflow is running, it receives 5 events in 2 seconds. The threshold (5 events in 60 seconds) is reached. The workflow updates the custom info in the event and copies it to the relevant alert:

"custom_info": {
        "xiny": {
            "xiny": true,
            "alert_id": 982,
            "x": 5,
            "y": 2,
            "threshold": "5 events / 60s"
        }
    },

You can set up subsequent workflows to update the relevant alert. For example, you can set up an alert workflow with the following entry filter:

"event_handler" = 'Alert Update' AND “custom_info.xiny.xiny" = true

The workflow then prepends the string "FLOODING " to the alert description.