updateEventsAnalyserConfig

A Graze API POST request that updates the Events Analyser configuration.

You cannot use this endpoint to update the lists of priority words and stop words in the Events Analyser configuration. Use updateEventsAnalyserWords to replace an existing list of priority words or stop words. Use addEventsAnalyserWord to add a single word to a list of priority words or stop words, or removeEventsAnalyserWord to remove a single word.

If you use partitions in the entropy calculations, use updateEventsAnalyserPartitionOverrides to update the Events Analyser configuration with any partition overrides you want to implement.

Back to Graze API EndPoint Reference.

Request arguments

The updateEventsAnalyserConfig endpoints accepts the following request arguments. Authenticate the endpoint and provide at least one of the following arguments. The endpoint only updates the properties provided.

Name

Type

Required

Description

auth_token

String

Yes

A valid auth_token returned from the authenticate request. See the authenticate endpoint for more information.

mask

JSON Object

No

Defines which token types the Events Analyser includes or excludes from its entropy calculation. If a token type is set to false, the entropy calculation includes it. If it is set to true, the entropy calculation excludes the token type. Masking token types, such as dates or numbers, ensures that tokens are not given a higher entropy value than they should have because of unique numbers or dates.

Default is:

{
    "path" : false,
    "ip_address" : false,
    "mac_address" : false,
    "url" : false,
    "email" : false,
    "date_time" : true,
    "number" : true,
    "hex" : false,
    "oid" : false,
    "guid" : false,
    "word" : false
  }

stop_words

Boolean

No

Indicates whether or not the Events Analyser uses stop words. Stop words are small common words such as 'about', 'at', or 'the'. The Events Analyser automatically excludes stop words from its entropy calculation. Set to true to use stop words. Set to false if you do not want to use stop words. Default is true.

stop_word_length

Number

No

Maximum length of words that are automatically excluded by the Events Analyser from its entropy calculation. For example, a value of 3 means the Events Analyser excludes any words of three or less characters. Default is 0 meaning that no words are excluded from its entropy calculation.

priority_words

Boolean

No

Indicates whether or not the Events Analyser uses priority words. The Events Analyser automatically gives alerts containing any priority words an entropy value of 1. Set to true to use priority words. Set to false if you do not want to use priority words. Default is false.

partition_by

String

No

If you want the Events Analyser to partition the data, enter the property that you want to partition by, for example, source. Default is NULL so the Events Analyser does not use partitioning. If you want to use partitioning, you must enter any relevant information in partition_overrides below.

fields

Array of Strings

No

Properties in each event that contribute to the entropy value calculation. Default is ["description"]. Moogsoft recommends providing a single field only.

casefold

Boolean

No

Indicates whether the Events Analyser should consider tokens that differ only by case in its entropy calculation. Set to true to consider tokens in a different case as the same. Set to false to consider tokens in a different case as different. Default is true.

stemming

Boolean

No

Indicates whether the Events Analyser considers words with the same word stem as the same word in entropy calculations. For example, should the Events Analyser consider 'fail', 'failed' and 'failing' as the same word. Set to true to consider words with the same word stem as the same. Set to false to consider consider words with the same word stem as different. Default is false.

stemming_language

String

No

Language used in the events. Default is english.

Response

Endpoint updateEventsAnalyserConfig returns the following response:

Examples

The following examples demonstrate typical use of endpoint updateEventsAnalyserConfig:

Request examples

Example cURL request to enable priority words in the Events Analyser. Use updateEventsAnalyserWords to add a list of priority words to the Events Analyser configuration.

curl -POST -u graze:graze -k -v "https://localhost/graze/v1/updateEventsAnalyserConfig" \
--data-urlencode 'priority_words=true'

Example cURL request to enable partitioning in the Events Analyser:

curl -POST -u graze:graze -k -v "https://localhost/graze/v1/updateEventsAnalyserConfig" \
--data-urlencode 'partition_by=source'

Response example