SumoLogic

v0.10.0 published on Wednesday, Sep 21, 2022 by Pulumi

CseAggregationRule

Provides a Sumo Logic CSE Aggregation Rule.

Example Usage

using System.Collections.Generic;
using Pulumi;
using SumoLogic = Pulumi.SumoLogic;

return await Deployment.RunAsync(() => 
{
    var aggregationRule = new SumoLogic.CseAggregationRule("aggregationRule", new()
    {
        AggregationFunctions = new[]
        {
            new SumoLogic.Inputs.CseAggregationRuleAggregationFunctionArgs
            {
                Arguments = new[]
                {
                    "metadata_deviceEventId",
                },
                Function = "count_distinct",
                Name = "distinct_eventid_count",
            },
        },
        DescriptionExpression = "Signal description",
        Enabled = true,
        EntitySelectors = new[]
        {
            new SumoLogic.Inputs.CseAggregationRuleEntitySelectorArgs
            {
                EntityType = "_ip",
                Expression = "srcDevice_ip",
            },
        },
        GroupByEntity = true,
        GroupByFields = new[]
        {
            "dstDevice_hostname",
        },
        IsPrototype = false,
        MatchExpression = "objectType = \"Network\"",
        NameExpression = "Signal name",
        SeverityMapping = new SumoLogic.Inputs.CseAggregationRuleSeverityMappingArgs
        {
            Default = 5,
            Type = "constant",
        },
        SummaryExpression = "Signal summary",
        Tags = new[]
        {
            "_mitreAttackTactic:TA0009",
        },
        TriggerExpression = "distinct_eventid_count > 5",
        WindowSize = "T30M",
    });

});
package main

import (
	"github.com/pulumi/pulumi-sumologic/sdk/go/sumologic"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := sumologic.NewCseAggregationRule(ctx, "aggregationRule", &sumologic.CseAggregationRuleArgs{
			AggregationFunctions: CseAggregationRuleAggregationFunctionArray{
				&CseAggregationRuleAggregationFunctionArgs{
					Arguments: pulumi.StringArray{
						pulumi.String("metadata_deviceEventId"),
					},
					Function: pulumi.String("count_distinct"),
					Name:     pulumi.String("distinct_eventid_count"),
				},
			},
			DescriptionExpression: pulumi.String("Signal description"),
			Enabled:               pulumi.Bool(true),
			EntitySelectors: CseAggregationRuleEntitySelectorArray{
				&CseAggregationRuleEntitySelectorArgs{
					EntityType: pulumi.String("_ip"),
					Expression: pulumi.String("srcDevice_ip"),
				},
			},
			GroupByEntity: pulumi.Bool(true),
			GroupByFields: pulumi.StringArray{
				pulumi.String("dstDevice_hostname"),
			},
			IsPrototype:     pulumi.Bool(false),
			MatchExpression: pulumi.String("objectType = \"Network\""),
			NameExpression:  pulumi.String("Signal name"),
			SeverityMapping: &CseAggregationRuleSeverityMappingArgs{
				Default: pulumi.Int(5),
				Type:    pulumi.String("constant"),
			},
			SummaryExpression: pulumi.String("Signal summary"),
			Tags: pulumi.StringArray{
				pulumi.String("_mitreAttackTactic:TA0009"),
			},
			TriggerExpression: pulumi.String("distinct_eventid_count > 5"),
			WindowSize:        pulumi.String("T30M"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.sumologic.CseAggregationRule;
import com.pulumi.sumologic.CseAggregationRuleArgs;
import com.pulumi.sumologic.inputs.CseAggregationRuleAggregationFunctionArgs;
import com.pulumi.sumologic.inputs.CseAggregationRuleEntitySelectorArgs;
import com.pulumi.sumologic.inputs.CseAggregationRuleSeverityMappingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var aggregationRule = new CseAggregationRule("aggregationRule", CseAggregationRuleArgs.builder()        
            .aggregationFunctions(CseAggregationRuleAggregationFunctionArgs.builder()
                .arguments("metadata_deviceEventId")
                .function("count_distinct")
                .name("distinct_eventid_count")
                .build())
            .descriptionExpression("Signal description")
            .enabled(true)
            .entitySelectors(CseAggregationRuleEntitySelectorArgs.builder()
                .entityType("_ip")
                .expression("srcDevice_ip")
                .build())
            .groupByEntity(true)
            .groupByFields("dstDevice_hostname")
            .isPrototype(false)
            .matchExpression("objectType = \"Network\"")
            .nameExpression("Signal name")
            .severityMapping(CseAggregationRuleSeverityMappingArgs.builder()
                .default_(5)
                .type("constant")
                .build())
            .summaryExpression("Signal summary")
            .tags("_mitreAttackTactic:TA0009")
            .triggerExpression("distinct_eventid_count > 5")
            .windowSize("T30M")
            .build());

    }
}
import pulumi
import pulumi_sumologic as sumologic

aggregation_rule = sumologic.CseAggregationRule("aggregationRule",
    aggregation_functions=[sumologic.CseAggregationRuleAggregationFunctionArgs(
        arguments=["metadata_deviceEventId"],
        function="count_distinct",
        name="distinct_eventid_count",
    )],
    description_expression="Signal description",
    enabled=True,
    entity_selectors=[sumologic.CseAggregationRuleEntitySelectorArgs(
        entity_type="_ip",
        expression="srcDevice_ip",
    )],
    group_by_entity=True,
    group_by_fields=["dstDevice_hostname"],
    is_prototype=False,
    match_expression="objectType = \"Network\"",
    name_expression="Signal name",
    severity_mapping=sumologic.CseAggregationRuleSeverityMappingArgs(
        default=5,
        type="constant",
    ),
    summary_expression="Signal summary",
    tags=["_mitreAttackTactic:TA0009"],
    trigger_expression="distinct_eventid_count > 5",
    window_size="T30M")
import * as pulumi from "@pulumi/pulumi";
import * as sumologic from "@pulumi/sumologic";

const aggregationRule = new sumologic.CseAggregationRule("aggregation_rule", {
    aggregationFunctions: [{
        arguments: ["metadata_deviceEventId"],
        function: "count_distinct",
        name: "distinct_eventid_count",
    }],
    descriptionExpression: "Signal description",
    enabled: true,
    entitySelectors: [{
        entityType: "_ip",
        expression: "srcDevice_ip",
    }],
    groupByEntity: true,
    groupByFields: ["dstDevice_hostname"],
    isPrototype: false,
    matchExpression: "objectType = \"Network\"",
    nameExpression: "Signal name",
    severityMapping: {
        default: 5,
        type: "constant",
    },
    summaryExpression: "Signal summary",
    tags: ["_mitreAttackTactic:TA0009"],
    triggerExpression: "distinct_eventid_count > 5",
    windowSize: "T30M",
});
resources:
  aggregationRule:
    type: sumologic:CseAggregationRule
    properties:
      aggregationFunctions:
        - arguments:
            - metadata_deviceEventId
          function: count_distinct
          name: distinct_eventid_count
      descriptionExpression: Signal description
      enabled: true
      entitySelectors:
        - entityType: _ip
          expression: srcDevice_ip
      groupByEntity: true
      groupByFields:
        - dstDevice_hostname
      isPrototype: false
      matchExpression: objectType = "Network"
      nameExpression: Signal name
      severityMapping:
        default: 5
        type: constant
      summaryExpression: Signal summary
      tags:
        - _mitreAttackTactic:TA0009
      triggerExpression: distinct_eventid_count > 5
      windowSize: T30M

Create a CseAggregationRule Resource

new CseAggregationRule(name: string, args: CseAggregationRuleArgs, opts?: CustomResourceOptions);
@overload
def CseAggregationRule(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       aggregation_functions: Optional[Sequence[CseAggregationRuleAggregationFunctionArgs]] = None,
                       description_expression: Optional[str] = None,
                       enabled: Optional[bool] = None,
                       entity_selectors: Optional[Sequence[CseAggregationRuleEntitySelectorArgs]] = None,
                       group_by_entity: Optional[bool] = None,
                       group_by_fields: Optional[Sequence[str]] = None,
                       is_prototype: Optional[bool] = None,
                       match_expression: Optional[str] = None,
                       name: Optional[str] = None,
                       name_expression: Optional[str] = None,
                       severity_mapping: Optional[CseAggregationRuleSeverityMappingArgs] = None,
                       summary_expression: Optional[str] = None,
                       tags: Optional[Sequence[str]] = None,
                       trigger_expression: Optional[str] = None,
                       window_size: Optional[str] = None)
@overload
def CseAggregationRule(resource_name: str,
                       args: CseAggregationRuleArgs,
                       opts: Optional[ResourceOptions] = None)
func NewCseAggregationRule(ctx *Context, name string, args CseAggregationRuleArgs, opts ...ResourceOption) (*CseAggregationRule, error)
public CseAggregationRule(string name, CseAggregationRuleArgs args, CustomResourceOptions? opts = null)
public CseAggregationRule(String name, CseAggregationRuleArgs args)
public CseAggregationRule(String name, CseAggregationRuleArgs args, CustomResourceOptions options)
type: sumologic:CseAggregationRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args CseAggregationRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args CseAggregationRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args CseAggregationRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args CseAggregationRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args CseAggregationRuleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

CseAggregationRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The CseAggregationRule resource accepts the following input properties:

AggregationFunctions List<Pulumi.SumoLogic.Inputs.CseAggregationRuleAggregationFunctionArgs>

One or more named aggregation functions

DescriptionExpression string

The description of the generated Signals

Enabled bool

Whether the rule should generate Signals

EntitySelectors List<Pulumi.SumoLogic.Inputs.CseAggregationRuleEntitySelectorArgs>

The entities to generate Signals on

MatchExpression string

The expression for which records to match on

NameExpression string

The name of the generated Signals

SeverityMapping Pulumi.SumoLogic.Inputs.CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

TriggerExpression string

The expression to determine whether a Signal should be created based on the aggregation results

WindowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

GroupByEntity bool

Whether to group records by the specified entity fields

GroupByFields List<string>

A list of fields to group records by

IsPrototype bool

Whether the generated Signals should be prototype Signals

Name string

The name of the Rule

SummaryExpression string

The summary of the generated Signals

Tags List<string>

The tags of the generated Signals

AggregationFunctions []CseAggregationRuleAggregationFunctionArgs

One or more named aggregation functions

DescriptionExpression string

The description of the generated Signals

Enabled bool

Whether the rule should generate Signals

EntitySelectors []CseAggregationRuleEntitySelectorArgs

The entities to generate Signals on

MatchExpression string

The expression for which records to match on

NameExpression string

The name of the generated Signals

SeverityMapping CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

TriggerExpression string

The expression to determine whether a Signal should be created based on the aggregation results

WindowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

GroupByEntity bool

Whether to group records by the specified entity fields

GroupByFields []string

A list of fields to group records by

IsPrototype bool

Whether the generated Signals should be prototype Signals

Name string

The name of the Rule

SummaryExpression string

The summary of the generated Signals

Tags []string

The tags of the generated Signals

aggregationFunctions List<CseAggregationRuleAggregationFunctionArgs>

One or more named aggregation functions

descriptionExpression String

The description of the generated Signals

enabled Boolean

Whether the rule should generate Signals

entitySelectors List<CseAggregationRuleEntitySelectorArgs>

The entities to generate Signals on

matchExpression String

The expression for which records to match on

nameExpression String

The name of the generated Signals

severityMapping CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

triggerExpression String

The expression to determine whether a Signal should be created based on the aggregation results

windowSize String

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

groupByEntity Boolean

Whether to group records by the specified entity fields

groupByFields List<String>

A list of fields to group records by

isPrototype Boolean

Whether the generated Signals should be prototype Signals

name String

The name of the Rule

summaryExpression String

The summary of the generated Signals

tags List<String>

The tags of the generated Signals

aggregationFunctions CseAggregationRuleAggregationFunctionArgs[]

One or more named aggregation functions

descriptionExpression string

The description of the generated Signals

enabled boolean

Whether the rule should generate Signals

entitySelectors CseAggregationRuleEntitySelectorArgs[]

The entities to generate Signals on

matchExpression string

The expression for which records to match on

nameExpression string

The name of the generated Signals

severityMapping CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

triggerExpression string

The expression to determine whether a Signal should be created based on the aggregation results

windowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

groupByEntity boolean

Whether to group records by the specified entity fields

groupByFields string[]

A list of fields to group records by

isPrototype boolean

Whether the generated Signals should be prototype Signals

name string

The name of the Rule

summaryExpression string

The summary of the generated Signals

tags string[]

The tags of the generated Signals

aggregation_functions Sequence[CseAggregationRuleAggregationFunctionArgs]

One or more named aggregation functions

description_expression str

The description of the generated Signals

enabled bool

Whether the rule should generate Signals

entity_selectors Sequence[CseAggregationRuleEntitySelectorArgs]

The entities to generate Signals on

match_expression str

The expression for which records to match on

name_expression str

The name of the generated Signals

severity_mapping CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

trigger_expression str

The expression to determine whether a Signal should be created based on the aggregation results

window_size str

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

group_by_entity bool

Whether to group records by the specified entity fields

group_by_fields Sequence[str]

A list of fields to group records by

is_prototype bool

Whether the generated Signals should be prototype Signals

name str

The name of the Rule

summary_expression str

The summary of the generated Signals

tags Sequence[str]

The tags of the generated Signals

aggregationFunctions List<Property Map>

One or more named aggregation functions

descriptionExpression String

The description of the generated Signals

enabled Boolean

Whether the rule should generate Signals

entitySelectors List<Property Map>

The entities to generate Signals on

matchExpression String

The expression for which records to match on

nameExpression String

The name of the generated Signals

severityMapping Property Map

The configuration of how the severity of the Signals should be mapped from the Records

triggerExpression String

The expression to determine whether a Signal should be created based on the aggregation results

windowSize String

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

groupByEntity Boolean

Whether to group records by the specified entity fields

groupByFields List<String>

A list of fields to group records by

isPrototype Boolean

Whether the generated Signals should be prototype Signals

name String

The name of the Rule

summaryExpression String

The summary of the generated Signals

tags List<String>

The tags of the generated Signals

Outputs

All input properties are implicitly available as output properties. Additionally, the CseAggregationRule resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing CseAggregationRule Resource

Get an existing CseAggregationRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CseAggregationRuleState, opts?: CustomResourceOptions): CseAggregationRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        aggregation_functions: Optional[Sequence[CseAggregationRuleAggregationFunctionArgs]] = None,
        description_expression: Optional[str] = None,
        enabled: Optional[bool] = None,
        entity_selectors: Optional[Sequence[CseAggregationRuleEntitySelectorArgs]] = None,
        group_by_entity: Optional[bool] = None,
        group_by_fields: Optional[Sequence[str]] = None,
        is_prototype: Optional[bool] = None,
        match_expression: Optional[str] = None,
        name: Optional[str] = None,
        name_expression: Optional[str] = None,
        severity_mapping: Optional[CseAggregationRuleSeverityMappingArgs] = None,
        summary_expression: Optional[str] = None,
        tags: Optional[Sequence[str]] = None,
        trigger_expression: Optional[str] = None,
        window_size: Optional[str] = None) -> CseAggregationRule
func GetCseAggregationRule(ctx *Context, name string, id IDInput, state *CseAggregationRuleState, opts ...ResourceOption) (*CseAggregationRule, error)
public static CseAggregationRule Get(string name, Input<string> id, CseAggregationRuleState? state, CustomResourceOptions? opts = null)
public static CseAggregationRule get(String name, Output<String> id, CseAggregationRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AggregationFunctions List<Pulumi.SumoLogic.Inputs.CseAggregationRuleAggregationFunctionArgs>

One or more named aggregation functions

DescriptionExpression string

The description of the generated Signals

Enabled bool

Whether the rule should generate Signals

EntitySelectors List<Pulumi.SumoLogic.Inputs.CseAggregationRuleEntitySelectorArgs>

The entities to generate Signals on

GroupByEntity bool

Whether to group records by the specified entity fields

GroupByFields List<string>

A list of fields to group records by

IsPrototype bool

Whether the generated Signals should be prototype Signals

MatchExpression string

The expression for which records to match on

Name string

The name of the Rule

NameExpression string

The name of the generated Signals

SeverityMapping Pulumi.SumoLogic.Inputs.CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

SummaryExpression string

The summary of the generated Signals

Tags List<string>

The tags of the generated Signals

TriggerExpression string

The expression to determine whether a Signal should be created based on the aggregation results

WindowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

AggregationFunctions []CseAggregationRuleAggregationFunctionArgs

One or more named aggregation functions

DescriptionExpression string

The description of the generated Signals

Enabled bool

Whether the rule should generate Signals

EntitySelectors []CseAggregationRuleEntitySelectorArgs

The entities to generate Signals on

GroupByEntity bool

Whether to group records by the specified entity fields

GroupByFields []string

A list of fields to group records by

IsPrototype bool

Whether the generated Signals should be prototype Signals

MatchExpression string

The expression for which records to match on

Name string

The name of the Rule

NameExpression string

The name of the generated Signals

SeverityMapping CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

SummaryExpression string

The summary of the generated Signals

Tags []string

The tags of the generated Signals

TriggerExpression string

The expression to determine whether a Signal should be created based on the aggregation results

WindowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

aggregationFunctions List<CseAggregationRuleAggregationFunctionArgs>

One or more named aggregation functions

descriptionExpression String

The description of the generated Signals

enabled Boolean

Whether the rule should generate Signals

entitySelectors List<CseAggregationRuleEntitySelectorArgs>

The entities to generate Signals on

groupByEntity Boolean

Whether to group records by the specified entity fields

groupByFields List<String>

A list of fields to group records by

isPrototype Boolean

Whether the generated Signals should be prototype Signals

matchExpression String

The expression for which records to match on

name String

The name of the Rule

nameExpression String

The name of the generated Signals

severityMapping CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

summaryExpression String

The summary of the generated Signals

tags List<String>

The tags of the generated Signals

triggerExpression String

The expression to determine whether a Signal should be created based on the aggregation results

windowSize String

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

aggregationFunctions CseAggregationRuleAggregationFunctionArgs[]

One or more named aggregation functions

descriptionExpression string

The description of the generated Signals

enabled boolean

Whether the rule should generate Signals

entitySelectors CseAggregationRuleEntitySelectorArgs[]

The entities to generate Signals on

groupByEntity boolean

Whether to group records by the specified entity fields

groupByFields string[]

A list of fields to group records by

isPrototype boolean

Whether the generated Signals should be prototype Signals

matchExpression string

The expression for which records to match on

name string

The name of the Rule

nameExpression string

The name of the generated Signals

severityMapping CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

summaryExpression string

The summary of the generated Signals

tags string[]

The tags of the generated Signals

triggerExpression string

The expression to determine whether a Signal should be created based on the aggregation results

windowSize string

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

aggregation_functions Sequence[CseAggregationRuleAggregationFunctionArgs]

One or more named aggregation functions

description_expression str

The description of the generated Signals

enabled bool

Whether the rule should generate Signals

entity_selectors Sequence[CseAggregationRuleEntitySelectorArgs]

The entities to generate Signals on

group_by_entity bool

Whether to group records by the specified entity fields

group_by_fields Sequence[str]

A list of fields to group records by

is_prototype bool

Whether the generated Signals should be prototype Signals

match_expression str

The expression for which records to match on

name str

The name of the Rule

name_expression str

The name of the generated Signals

severity_mapping CseAggregationRuleSeverityMappingArgs

The configuration of how the severity of the Signals should be mapped from the Records

summary_expression str

The summary of the generated Signals

tags Sequence[str]

The tags of the generated Signals

trigger_expression str

The expression to determine whether a Signal should be created based on the aggregation results

window_size str

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

aggregationFunctions List<Property Map>

One or more named aggregation functions

descriptionExpression String

The description of the generated Signals

enabled Boolean

Whether the rule should generate Signals

entitySelectors List<Property Map>

The entities to generate Signals on

groupByEntity Boolean

Whether to group records by the specified entity fields

groupByFields List<String>

A list of fields to group records by

isPrototype Boolean

Whether the generated Signals should be prototype Signals

matchExpression String

The expression for which records to match on

name String

The name of the Rule

nameExpression String

The name of the generated Signals

severityMapping Property Map

The configuration of how the severity of the Signals should be mapped from the Records

summaryExpression String

The summary of the generated Signals

tags List<String>

The tags of the generated Signals

triggerExpression String

The expression to determine whether a Signal should be created based on the aggregation results

windowSize String

How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, or T05D.

Supporting Types

CseAggregationRuleAggregationFunction

Arguments List<string>

One or more expressions to pass as arguments to the function

Function string

The function to aggregate with

Name string

The name of the Rule

Arguments []string

One or more expressions to pass as arguments to the function

Function string

The function to aggregate with

Name string

The name of the Rule

arguments List<String>

One or more expressions to pass as arguments to the function

function String

The function to aggregate with

name String

The name of the Rule

arguments string[]

One or more expressions to pass as arguments to the function

function string

The function to aggregate with

name string

The name of the Rule

arguments Sequence[str]

One or more expressions to pass as arguments to the function

function str

The function to aggregate with

name str

The name of the Rule

arguments List<String>

One or more expressions to pass as arguments to the function

function String

The function to aggregate with

name String

The name of the Rule

CseAggregationRuleEntitySelector

EntityType string
Expression string

The expression or field name to generate the Signal on.

EntityType string
Expression string

The expression or field name to generate the Signal on.

entityType String
expression String

The expression or field name to generate the Signal on.

entityType string
expression string

The expression or field name to generate the Signal on.

entity_type str
expression str

The expression or field name to generate the Signal on.

entityType String
expression String

The expression or field name to generate the Signal on.

CseAggregationRuleSeverityMapping

Type string

Must be set to "eq" currently

Default int

The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.

Field string

The field to use in the "fieldValue"/"fieldValueMapping" cases.

Mappings List<Pulumi.SumoLogic.Inputs.CseAggregationRuleSeverityMappingMapping>

The map of record values to severities to use in the "fieldValueMapping" case

Type string

Must be set to "eq" currently

Default int

The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.

Field string

The field to use in the "fieldValue"/"fieldValueMapping" cases.

Mappings []CseAggregationRuleSeverityMappingMapping

The map of record values to severities to use in the "fieldValueMapping" case

type String

Must be set to "eq" currently

default_ Integer

The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.

field String

The field to use in the "fieldValue"/"fieldValueMapping" cases.

mappings List<CseAggregationRuleSeverityMappingMapping>

The map of record values to severities to use in the "fieldValueMapping" case

type string

Must be set to "eq" currently

default number

The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.

field string

The field to use in the "fieldValue"/"fieldValueMapping" cases.

mappings CseAggregationRuleSeverityMappingMapping[]

The map of record values to severities to use in the "fieldValueMapping" case

type str

Must be set to "eq" currently

default int

The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.

field str

The field to use in the "fieldValue"/"fieldValueMapping" cases.

mappings Sequence[CseAggregationRuleSeverityMappingMapping]

The map of record values to severities to use in the "fieldValueMapping" case

type String

Must be set to "eq" currently

default Number

The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.

field String

The field to use in the "fieldValue"/"fieldValueMapping" cases.

mappings List<Property Map>

The map of record values to severities to use in the "fieldValueMapping" case

CseAggregationRuleSeverityMappingMapping

From string

The record value to map from

To int

The severity value to map to

Type string

Must be set to "eq" currently

From string

The record value to map from

To int

The severity value to map to

Type string

Must be set to "eq" currently

from String

The record value to map from

to Integer

The severity value to map to

type String

Must be set to "eq" currently

from string

The record value to map from

to number

The severity value to map to

type string

Must be set to "eq" currently

from_ str

The record value to map from

to int

The severity value to map to

type str

Must be set to "eq" currently

from String

The record value to map from

to Number

The severity value to map to

type String

Must be set to "eq" currently

Import

Aggregation Rules can be imported using the field id, e.g.hcl

 $ pulumi import sumologic:index/cseAggregationRule:CseAggregationRule aggregation_rule id

Package Details

Repository
https://github.com/pulumi/pulumi-sumologic
License
Apache-2.0
Notes

This Pulumi package is based on the sumologic Terraform Provider.