Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/scripts/base/utils/thresholds.zeek.rst
Tim Wojtulewicz ded98cd373 Copy docs into Zeek repo directly 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
2025-09-26 02:58:29 +00:00

118 lines
4.1 KiB
ReStructuredText
Raw Permalink Blame History

:tocdepth: 3
base/utils/thresholds.zeek
==========================
.. zeek:namespace:: GLOBAL
Functions for using multiple thresholds with a counting tracker. For
example, you may want to generate a notice when something happens 10 times
and again when it happens 100 times but nothing in between. You can use
the :zeek:id:`check_threshold` function to define your threshold points
and the :zeek:type:`TrackCount` variable where you are keeping track of your
counter.
:Namespace: GLOBAL
Summary
~~~~~~~
Redefinable Options
###################
============================================================================= =========================================================
:zeek:id:`default_notice_thresholds`: :zeek:type:`vector` :zeek:attr:`&redef` The thresholds you would like to use as defaults with the
:zeek:id:`default_check_threshold` function.
============================================================================= =========================================================
Types
#####
============================================ =
:zeek:type:`TrackCount`: :zeek:type:`record`
============================================ =
Functions
#########
========================================================= =====================================================================
:zeek:id:`check_threshold`: :zeek:type:`function` This will check if a :zeek:type:`TrackCount` variable has crossed any
thresholds in a given set.
:zeek:id:`default_check_threshold`: :zeek:type:`function` This will use the :zeek:id:`default_notice_thresholds` variable to
check a :zeek:type:`TrackCount` variable to see if it has crossed
another threshold.
:zeek:id:`new_track_count`: :zeek:type:`function`
========================================================= =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: default_notice_thresholds
:source-code: base/utils/thresholds.zeek 22 22
:Type: :zeek:type:`vector` of :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default:
::
[30, 100, 1000, 10000, 100000, 1000000, 10000000]
The thresholds you would like to use as defaults with the
:zeek:id:`default_check_threshold` function.
Types
#####
.. zeek:type:: TrackCount
:source-code: base/utils/thresholds.zeek 11 18
:Type: :zeek:type:`record`
.. zeek:field:: n :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
The counter for the number of times something has happened.
.. zeek:field:: index :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
The index of the vector where the counter currently is. This
is used to track which threshold is currently being watched
for.
Functions
#########
.. zeek:id:: check_threshold
:source-code: base/utils/thresholds.zeek 49 57
:Type: :zeek:type:`function` (v: :zeek:type:`vector` of :zeek:type:`count`, tracker: :zeek:type:`TrackCount`) : :zeek:type:`bool`
This will check if a :zeek:type:`TrackCount` variable has crossed any
thresholds in a given set.
:param v: a vector holding counts that represent thresholds.
:param tracker: the record being used to track event counter and currently
monitored threshold value.
:returns: T if a threshold has been crossed, else F.
.. zeek:id:: default_check_threshold
:source-code: base/utils/thresholds.zeek 59 62
:Type: :zeek:type:`function` (tracker: :zeek:type:`TrackCount`) : :zeek:type:`bool`
This will use the :zeek:id:`default_notice_thresholds` variable to
check a :zeek:type:`TrackCount` variable to see if it has crossed
another threshold.
.. zeek:id:: new_track_count
:source-code: base/utils/thresholds.zeek 43 47
:Type: :zeek:type:`function` () : :zeek:type:`TrackCount`
Reference in a new issue View git blame Copy permalink