updateEventsAnalyserConfig

A Graze API POST request that updates the Events Analyser configuration.

You cannot use this endpoint to update the lists of priority words and stop words in the Events Analyser configuration. Use updateEventsAnalyserWords to replace an existing list of priority words or stop words. Use addEventsAnalyserWord to add a single word to a list of priority words or stop words, or removeEventsAnalyserWord to remove a single word.

If you use partitions in the entropy calculations, use updateEventsAnalyserPartitionOverrides to update the Events Analyser configuration with any partition overrides you want to implement.

Back to Graze API EndPoint Reference.

Request arguments

The updateEventsAnalyserConfig endpoints accepts the following request arguments. Authenticate the endpoint and provide at least one of the following arguments. The endpoint only updates the properties provided.

Name	Type	Required	Description
`auth_token`	String	Yes	A valid `auth_token` returned from the `authenticate` request. Alternatively, basic authenticate headers can be used in place of this parameter. See the authenticate endpoint for more information and usage examples.
`mask`	JSON Object	No	Defines which token types the Events Analyser includes or excludes from its entropy calculation. If a token type is set to `false`, the entropy calculation includes it. If it is set to `true`, the entropy calculation excludes the token type. Masking token types, such as dates or numbers, ensures that tokens are not given a higher entropy value than they should have because of unique numbers or dates. The mask argument contains the following options: `path`: Set to `true` to exclude file paths from the entropy calculation. `ip_address`: Set to `true` to exclude IP addresses from the entropy calculation. `mac_address`: Set to `true` to exclude MAC addresses from the entropy calculation. `url`: Set to `true` to exclude URLs from the entropy calculation. `email`: Set to `true` to exclude email addresses from the entropy calculation. `date_time`: Set to `true` to exclude date and time values from the entropy calculation. `number`: Set to `true` to exclude ordinary numbers from the entropy calculation. `hex`: Set to `true` to exclude hex numbers from the entropy calculation. `oid`: Set to `true` to exclude object identifiers from the entropy calculation. `guid`: Set to `true` to exclude globally unique identifiers, also know as universally unique identifiers (UUIDs), from the entropy calculation. `word`: Set to `true` to exclude words from the entropy calculation. Default is: { "path" : false, "ip_address" : false, "mac_address" : false, "url" : false, "email" : false, "date_time" : true, "number" : true, "hex" : false, "oid" : false, "guid" : false, "word" : false }
`stop_words`	Boolean	No	Indicates whether or not the Events Analyser uses stop words. Stop words are small common words such as 'about', 'at', or 'the'. The Events Analyser automatically excludes stop words from its entropy calculation. Set to `true` to use stop words. Set to `false` if you do not want to use stop words. Default is `true`.
`stop_word_length`	Number	No	Maximum length of words that are automatically excluded by the Events Analyser from its entropy calculation. For example, a value of `3` means the Events Analyser excludes any words of three or less characters. Default is `0` meaning that no words are excluded from its entropy calculation.
`priority_words`	Boolean	No	Indicates whether or not the Events Analyser uses priority words. The Events Analyser automatically gives alerts containing any priority words an entropy value of 1. Set to `true` to use priority words. Set to `false` if you do not want to use priority words. Default is `false`.
`partition_by`	String	No	If you want the Events Analyser to partition the data, enter the property that you want to partition by, for example, `source`. Default is `NULL` so the Events Analyser does not use partitioning. If you want to use partitioning, you must enter any relevant information in `partition_overrides` below.
`fields`	Array of Strings	No	Properties in each event that contribute to the entropy value calculation. Default is `["description"]`. Moogsoft recommends providing a single field only.
`casefold`	Boolean	No	Indicates whether the Events Analyser should consider tokens that differ only by case in its entropy calculation. Set to `true` to consider tokens in a different case as the same. Set to `false` to consider tokens in a different case as different. Default is `true`.
`stemming`	Boolean	No	Indicates whether the Events Analyser considers words with the same word stem as the same word in entropy calculations. For example, should the Events Analyser consider 'fail', 'failed' and 'failing' as the same word. Set to `true` to consider words with the same word stem as the same. Set to `false` to consider consider words with the same word stem as different. Default is `false`.
`stemming_language`	String	No	Language used in the events. Default is `english`.

Response

Endpoint updateEventsAnalyserConfig returns the following response:

Type	Description
HTTP Code	HTTP status or error code indicating request success or failure. See HTTP status code definitions for more information.

Examples

The following examples demonstrate typical use of endpoint updateEventsAnalyserConfig:

Request examples

Example cURL request to enable priority words in the Events Analyser. Use updateEventsAnalyserWords to add a list of priority words to the Events Analyser configuration.

curl -POST -u graze:graze -k -v "https://localhost/graze/v1/updateEventsAnalyserConfig" \
--data-urlencode 'priority_words=true'

Example cURL request to enable partitioning in the Events Analyser:

curl -POST -u graze:graze -k -v "https://localhost/graze/v1/updateEventsAnalyserConfig" \
--data-urlencode 'partition_by=source'

Response example

In this section: