Is it possible to define a severity level to an eventtype without using a lookup table? The purpose would be so that, when I run a single, generic searches that provides the ability to report/alert on multiple of these eventtypes, I can differentiate between the severity of each.
Without severity
Currently, the search looks something like this:
index=myindex source=thisone eventtype=eventtype* | stats count by host eventtype
The results would look like this (in csv)
- HOST,EVENTTYPE,COUNT
- host1,eventtype1,count
- host1,eventtype2,count
- host2,eventtype1,count
- host2,eventtype3,count
With severity
Through some method, there'd be an eventtype -> severity mapping like this:
- eventtype1 -> 5
- eventtype2 -> 4
- eventtype3 -> 4
index=myindex source=thisone eventtype=eventtype* | stats count by host eventtype severity
The results would look like this (in csv)
- HOST,EVENTTYPE,SEVERITY,COUNT
- host1,eventtype1,5,count
- host1,eventtype2,4,count
- host2,eventtype1,5,count
- host2,eventtype3,4,count
Short of creating a separate lookup table (which is definitely possible, it would just be more complicated operational process to update), what's the best method for creating that mapping? For example, I was hoping it might be possible to use tags for this. For example, I know you can't assign values to tags (e.g. tag::severity=5), but I thought we might be able to create hierarchical tags (e.g. tag::severity::5).