intelmq.bots.experts.threshold package¶
Submodules¶
intelmq.bots.experts.threshold.expert module¶
Threshold value expert bot
SPDX-FileCopyrightText: 2020 Linköping University <https://liu.se/> SPDX-License-Identifier: AGPL-3.0-or-later
Given a stream of messages, this bot will let through only the single one that makes the count of similar messages go above a threshold value.
This bot is not multiprocessing safe. Do not run more than one instance on the same Redis cache database.
- param redis_cache_host:
string
- param redis_cache_port:
int
- param redis_cache_db:
int
- param redis_cache_password:
string. default: {None}
- param redis_cache_ttl:
int, number of seconds to keep counts of similar messages.
- param filter_type:
string [“whitelist”, “blacklist”], when determining whether two messages are similar, consider either only the named fields, or all but the named fields (time.observation is always ignored).
- param bypass:
boolean default: False
- param filter_keys:
list of strings, keys to exclude or include when determining whether messages are similar. time.observation is always ignored.
- param threshold:
int, number of messages after which one is sent on. As long as the count is above the threshold, no new messages will be sent.
- param add_keys:
optional, array of strings to strings, keys to add to forwarded messages. Regardless of this setting, the field “extra.count” will be set to the number of messages seen (which will be the threshold value).
- intelmq.bots.experts.threshold.expert.BOT¶
alias of
ThresholdExpertBot
- class intelmq.bots.experts.threshold.expert.ThresholdExpertBot(*args, **kwargs)¶
Bases:
ExpertBot,CacheMixinCheck if the number of similar messages during a specified time interval exceeds a set value
- add_keys: dict = {'comment': 'Threshold reached'}¶
- bypass = False¶
- filter_keys: Iterable = ['raw', 'time.observation']¶
- filter_type: str = 'blacklist'¶
- init()¶
- process()¶
- redis_cache_db: int = 11¶
- redis_cache_ttl: int = 3600¶
- threshold: int = 100¶
