updateEventsAnalyserPartitionOverrides

A Graze API POST request that updates the Events Analyser with the supplied partition overrides information. This endpoint overwrites any existing partition overrides.

If you use partitions in the Events Analyser configuration, the endpoint enables you to specify overrides for specific partitions. These settings override the default configuration you have specified in the arguments in the endpoint updateEventsAnalyserConfig or in the Moogsoft Onprem UI. For example, the default Events Analyser configuration may not use priority words but for one partition, London, you might want to enable priority words and set the priority word list to 'NEW_YORK' and 'LONDON'. If a partition does not have any overrides, or a property is not set for a partition, the Events Analyser uses the values in the default configuration.

Use updateEventsAnalyserConfig to set the partition_by parameter to enable the Events Analyser to calculate entropy by partitions.

Back to Graze API EndPoint Reference.

Request arguments

Endpoint updateEventsAnalyserPartitionOverrides takes the following request arguments. If an argument is empty or set to null it is set to null in the database.

Name	Type	Required	Description
`auth_token`	String	Yes	A valid `auth_token` returned from the `authenticate` request. Alternatively, basic authenticate headers can be used in place of this parameter. See the authenticate endpoint for more information and usage examples.
`partition_overrides`	JSON Object	Yes	A JSON object containing all the partition override information that you want to create.

The partition_overrides object has the following format. For any partitions, define the arguments where you want to override the default Events Analyser configuration.

Name	Type	Required	Description
`mask`	JSON Object	No	Defines which token types the Events Analyser includes or excludes from its entropy calculation for this partition. If a token type is set to `false`, the entropy calculation includes it. If it is set to `true`, the entropy calculation excludes the token type. Masking token types, such as dates or numbers, ensures that tokens are not given a higher entropy value than they should have because of unique numbers or dates. The mask argument contains the following options: `path`: Set to `true` to exclude file paths from the entropy calculation. `ip_address`: Set to `true` to exclude IP addresses from the entropy calculation. `mac_address`: Set to `true` to exclude MAC addresses from the entropy calculation. `url`: Set to `true` to exclude URLs from the entropy calculation. `email`: Set to `true` to exclude email addresses from the entropy calculation. `date_time`: Set to `true` to exclude date and time values from the entropy calculation. `number`: Set to `true` to exclude ordinary numbers from the entropy calculation. `hex`: Set to `true` to exclude hex numbers from the entropy calculation. `oid`: Set to `true` to exclude object identifiers from the entropy calculation. `guid`: Set to `true` to exclude globally unique identifiers, also know as universally unique identifiers (UUIDs), from the entropy calculation. `word`: Set to `true` to exclude words from the entropy calculation.
`stop_words`	Boolean	No	Indicates whether or not the Events Analyser uses stop words for this partition. Stop words are small common words such as 'about', 'at', or 'the'. The Events Analyser automatically excludes stop words from its entropy calculation. Set to `true` to use stop words. Set to `false` if you do not want to use stop words.
`stop_words_list`	JSON Array of Strings	No	List of stop words that you want the Events Analyser to ignore in its entropy calculation for this partition.
`stop_word_length`	Number	No	Maximum length of words that are automatically excluded by the Events Analyser from its entropy calculation for this partition. For example, a value of `3` means the Events Analyser excludes any words of three or less characters.
`priority_words`	Boolean	No	Indicates whether or not the Events Analyser uses priority words in its entropy calculation for this partition. The Events Analyser automatically gives alerts containing any priority words an entropy value of 1. Set to `true` to use priority words. Set to `false` if you do not want to use priority words.
`priority_words_list`	JSON Array of Strings	No	List of priority words that you want the Events Analyser to automatically assign an entropy value of 1 in its entropy calculation for this partition.
`fields`	JSON Array of Strings	No	Properties in each event that contribute to the entropy calculation for this partition. Moogsoft recommends specifying a single field only.
`casefold`	JSON Object	No	Indicates whether the Events Analyser should consider tokens that differ only by case in its entropy calculation for this partition. Set to `true` to consider tokens in a different case as the same. Set to `false` to consider tokens in a different case as different.
`stemming`	Boolean	No	Indicates whether the Events Analyser considers words with the same word stem as the same word in its entropy calculation for this partition. For example, should the Events Analyser consider 'fail', 'failed' and 'failing' as the same word. Set to `true` to consider words with the same word stem as the same. Set to `false` to consider words with the same word stem as different.
`stemming_language`	String	No	Language used in the events.

Response

Endpoint updateEventsAnalyserPartitionOverrides returns the following response:

Type	Description
HTTP Code	HTTP status or error code indicating request success or failure. See HTTP status code definitions for more information.

Examples

The following examples demonstrate typical use of endpoint updateEventsAnalyserPartitionOverrides:

Request example

Example cURL request to update the Events Analyser with partition overrides for two partitions, 'NEW_YORK' and 'LONDON':

curl -X POST -u graze:graze -k -v "https://localhost/graze/v1/updateEventsAnalyserPartitionOverrides" -H "Content-Type: application/json; charset=UTF-8" -d \
'{ \
    "partition_overrides": "{ \
        "NEW_YORK": { \
            "fields": ["description"], \
            "casefold": true, \
            "stop_words": false, \
            "priority_words": false, \
            "stop_word_length": 3 \
        }, \
        "LONDON": { \
            "mask": { \
                "date_time": false, \
                "ip_address": true \
            }, \
            "stemming": true, \
            "stop_words": true, \
            "priority_words": true, \
            "stop_words_list": ["france","germany","italy","peru","india","japan","korea"], \
            "stop_word_length": 1, \
            "priority_words_list": ["reboot","shutdown"] \
        } \
    }" \
}'

Response example

In this section: