1. Packages
  2. Sumologic Provider
  3. API Docs
  4. CseAggregationRule
Sumo Logic v0.23.7 published on Thursday, Oct 24, 2024 by Pulumi

sumologic.CseAggregationRule

Explore with Pulumi AI

sumologic logo
Sumo Logic v0.23.7 published on Thursday, Oct 24, 2024 by Pulumi

    Provides a Sumo Logic CSE Aggregation Rule.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as sumologic from "@pulumi/sumologic";
    
    const aggregationRule = new sumologic.CseAggregationRule("aggregation_rule", {
        aggregationFunctions: [{
            name: "distinct_eventid_count",
            "function": "count_distinct",
            arguments: ["metadata_deviceEventId"],
        }],
        descriptionExpression: "Signal description",
        enabled: true,
        entitySelectors: [{
            entityType: "_ip",
            expression: "srcDevice_ip",
        }],
        groupByEntity: true,
        groupByFields: ["dstDevice_hostname"],
        matchExpression: "objectType = \"Network\"",
        isPrototype: false,
        name: "Aggregation Rule Example",
        nameExpression: "Signal name",
        severityMapping: {
            type: "constant",
            "default": 5,
        },
        summaryExpression: "Signal summary",
        tags: ["_mitreAttackTactic:TA0009"],
        triggerExpression: "distinct_eventid_count > 5",
        windowSize: "T30M",
        suppressionWindowSize: 2100000,
    });
    
    import pulumi
    import pulumi_sumologic as sumologic
    
    aggregation_rule = sumologic.CseAggregationRule("aggregation_rule",
        aggregation_functions=[{
            "name": "distinct_eventid_count",
            "function": "count_distinct",
            "arguments": ["metadata_deviceEventId"],
        }],
        description_expression="Signal description",
        enabled=True,
        entity_selectors=[{
            "entity_type": "_ip",
            "expression": "srcDevice_ip",
        }],
        group_by_entity=True,
        group_by_fields=["dstDevice_hostname"],
        match_expression="objectType = \"Network\"",
        is_prototype=False,
        name="Aggregation Rule Example",
        name_expression="Signal name",
        severity_mapping={
            "type": "constant",
            "default": 5,
        },
        summary_expression="Signal summary",
        tags=["_mitreAttackTactic:TA0009"],
        trigger_expression="distinct_eventid_count > 5",
        window_size="T30M",
        suppression_window_size=2100000)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-sumologic/sdk/go/sumologic"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := sumologic.NewCseAggregationRule(ctx, "aggregation_rule", &sumologic.CseAggregationRuleArgs{
    			AggregationFunctions: sumologic.CseAggregationRuleAggregationFunctionArray{
    				&sumologic.CseAggregationRuleAggregationFunctionArgs{
    					Name:     pulumi.String("distinct_eventid_count"),
    					Function: pulumi.String("count_distinct"),
    					Arguments: pulumi.StringArray{
    						pulumi.String("metadata_deviceEventId"),
    					},
    				},
    			},
    			DescriptionExpression: pulumi.String("Signal description"),
    			Enabled:               pulumi.Bool(true),
    			EntitySelectors: sumologic.CseAggregationRuleEntitySelectorArray{
    				&sumologic.CseAggregationRuleEntitySelectorArgs{
    					EntityType: pulumi.String("_ip"),
    					Expression: pulumi.String("srcDevice_ip"),
    				},
    			},
    			GroupByEntity: pulumi.Bool(true),
    			GroupByFields: pulumi.StringArray{
    				pulumi.String("dstDevice_hostname"),
    			},
    			MatchExpression: pulumi.String("objectType = \"Network\""),
    			IsPrototype:     pulumi.Bool(false),
    			Name:            pulumi.String("Aggregation Rule Example"),
    			NameExpression:  pulumi.String("Signal name"),
    			SeverityMapping: &sumologic.CseAggregationRuleSeverityMappingArgs{
    				Type:    pulumi.String("constant"),
    				Default: pulumi.Int(5),
    			},
    			SummaryExpression: pulumi.String("Signal summary"),
    			Tags: pulumi.StringArray{
    				pulumi.String("_mitreAttackTactic:TA0009"),
    			},
    			TriggerExpression:     pulumi.String("distinct_eventid_count > 5"),
    			WindowSize:            pulumi.String("T30M"),
    			SuppressionWindowSize: pulumi.Int(2100000),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using SumoLogic = Pulumi.SumoLogic;
    
    return await Deployment.RunAsync(() => 
    {
        var aggregationRule = new SumoLogic.CseAggregationRule("aggregation_rule", new()
        {
            AggregationFunctions = new[]
            {
                new SumoLogic.Inputs.CseAggregationRuleAggregationFunctionArgs
                {
                    Name = "distinct_eventid_count",
                    Function = "count_distinct",
                    Arguments = new[]
                    {
                        "metadata_deviceEventId",
                    },
                },
            },
            DescriptionExpression = "Signal description",
            Enabled = true,
            EntitySelectors = new[]
            {
                new SumoLogic.Inputs.CseAggregationRuleEntitySelectorArgs
                {
                    EntityType = "_ip",
                    Expression = "srcDevice_ip",
                },
            },
            GroupByEntity = true,
            GroupByFields = new[]
            {
                "dstDevice_hostname",
            },
            MatchExpression = "objectType = \"Network\"",
            IsPrototype = false,
            Name = "Aggregation Rule Example",
            NameExpression = "Signal name",
            SeverityMapping = new SumoLogic.Inputs.CseAggregationRuleSeverityMappingArgs
            {
                Type = "constant",
                Default = 5,
            },
            SummaryExpression = "Signal summary",
            Tags = new[]
            {
                "_mitreAttackTactic:TA0009",
            },
            TriggerExpression = "distinct_eventid_count > 5",
            WindowSize = "T30M",
            SuppressionWindowSize = 2100000,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.sumologic.CseAggregationRule;
    import com.pulumi.sumologic.CseAggregationRuleArgs;
    import com.pulumi.sumologic.inputs.CseAggregationRuleAggregationFunctionArgs;
    import com.pulumi.sumologic.inputs.CseAggregationRuleEntitySelectorArgs;
    import com.pulumi.sumologic.inputs.CseAggregationRuleSeverityMappingArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var aggregationRule = new CseAggregationRule("aggregationRule", CseAggregationRuleArgs.builder()
                .aggregationFunctions(CseAggregationRuleAggregationFunctionArgs.builder()
                    .name("distinct_eventid_count")
                    .function("count_distinct")
                    .arguments("metadata_deviceEventId")
                    .build())
                .descriptionExpression("Signal description")
                .enabled(true)
                .entitySelectors(CseAggregationRuleEntitySelectorArgs.builder()
                    .entityType("_ip")
                    .expression("srcDevice_ip")
                    .build())
                .groupByEntity(true)
                .groupByFields("dstDevice_hostname")
                .matchExpression("objectType = \"Network\"")
                .isPrototype(false)
                .name("Aggregation Rule Example")
                .nameExpression("Signal name")
                .severityMapping(CseAggregationRuleSeverityMappingArgs.builder()
                    .type("constant")
                    .default_(5)
                    .build())
                .summaryExpression("Signal summary")
                .tags("_mitreAttackTactic:TA0009")
                .triggerExpression("distinct_eventid_count > 5")
                .windowSize("T30M")
                .suppressionWindowSize(2100000)
                .build());
    
        }
    }
    
    resources:
      aggregationRule:
        type: sumologic:CseAggregationRule
        name: aggregation_rule
        properties:
          aggregationFunctions:
            - name: distinct_eventid_count
              function: count_distinct
              arguments:
                - metadata_deviceEventId
          descriptionExpression: Signal description
          enabled: true
          entitySelectors:
            - entityType: _ip
              expression: srcDevice_ip
          groupByEntity: true
          groupByFields:
            - dstDevice_hostname
          matchExpression: objectType = "Network"
          isPrototype: false
          name: Aggregation Rule Example
          nameExpression: Signal name
          severityMapping:
            type: constant
            default: 5
          summaryExpression: Signal summary
          tags:
            - _mitreAttackTactic:TA0009
          triggerExpression: distinct_eventid_count > 5
          windowSize: T30M
          suppressionWindowSize: 2.1e+06
    

    Create CseAggregationRule Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new CseAggregationRule(name: string, args: CseAggregationRuleArgs, opts?: CustomResourceOptions);
    @overload
    def CseAggregationRule(resource_name: str,
                           args: CseAggregationRuleArgs,
                           opts: Optional[ResourceOptions] = None)
    
    @overload
    def CseAggregationRule(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           name_expression: Optional[str] = None,
                           description_expression: Optional[str] = None,
                           enabled: Optional[bool] = None,
                           entity_selectors: Optional[Sequence[CseAggregationRuleEntitySelectorArgs]] = None,
                           window_size: Optional[str] = None,
                           trigger_expression: Optional[str] = None,
                           severity_mapping: Optional[CseAggregationRuleSeverityMappingArgs] = None,
                           match_expression: Optional[str] = None,
                           aggregation_functions: Optional[Sequence[CseAggregationRuleAggregationFunctionArgs]] = None,
                           name: Optional[str] = None,
                           is_prototype: Optional[bool] = None,
                           summary_expression: Optional[str] = None,
                           suppression_window_size: Optional[int] = None,
                           tags: Optional[Sequence[str]] = None,
                           group_by_fields: Optional[Sequence[str]] = None,
                           group_by_entity: Optional[bool] = None,
                           window_size_millis: Optional[str] = None)
    func NewCseAggregationRule(ctx *Context, name string, args CseAggregationRuleArgs, opts ...ResourceOption) (*CseAggregationRule, error)
    public CseAggregationRule(string name, CseAggregationRuleArgs args, CustomResourceOptions? opts = null)
    public CseAggregationRule(String name, CseAggregationRuleArgs args)
    public CseAggregationRule(String name, CseAggregationRuleArgs args, CustomResourceOptions options)
    
    type: sumologic:CseAggregationRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args CseAggregationRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CseAggregationRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CseAggregationRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CseAggregationRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CseAggregationRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var cseAggregationRuleResource = new SumoLogic.CseAggregationRule("cseAggregationRuleResource", new()
    {
        NameExpression = "string",
        DescriptionExpression = "string",
        Enabled = false,
        EntitySelectors = new[]
        {
            new SumoLogic.Inputs.CseAggregationRuleEntitySelectorArgs
            {
                EntityType = "string",
                Expression = "string",
            },
        },
        WindowSize = "string",
        TriggerExpression = "string",
        SeverityMapping = new SumoLogic.Inputs.CseAggregationRuleSeverityMappingArgs
        {
            Type = "string",
            Default = 0,
            Field = "string",
            Mappings = new[]
            {
                new SumoLogic.Inputs.CseAggregationRuleSeverityMappingMappingArgs
                {
                    From = "string",
                    To = 0,
                    Type = "string",
                },
            },
        },
        MatchExpression = "string",
        AggregationFunctions = new[]
        {
            new SumoLogic.Inputs.CseAggregationRuleAggregationFunctionArgs
            {
                Arguments = new[]
                {
                    "string",
                },
                Function = "string",
                Name = "string",
            },
        },
        Name = "string",
        IsPrototype = false,
        SummaryExpression = "string",
        SuppressionWindowSize = 0,
        Tags = new[]
        {
            "string",
        },
        GroupByFields = new[]
        {
            "string",
        },
        GroupByEntity = false,
        WindowSizeMillis = "string",
    });
    
    example, err := sumologic.NewCseAggregationRule(ctx, "cseAggregationRuleResource", &sumologic.CseAggregationRuleArgs{
    	NameExpression:        pulumi.String("string"),
    	DescriptionExpression: pulumi.String("string"),
    	Enabled:               pulumi.Bool(false),
    	EntitySelectors: sumologic.CseAggregationRuleEntitySelectorArray{
    		&sumologic.CseAggregationRuleEntitySelectorArgs{
    			EntityType: pulumi.String("string"),
    			Expression: pulumi.String("string"),
    		},
    	},
    	WindowSize:        pulumi.String("string"),
    	TriggerExpression: pulumi.String("string"),
    	SeverityMapping: &sumologic.CseAggregationRuleSeverityMappingArgs{
    		Type:    pulumi.String("string"),
    		Default: pulumi.Int(0),
    		Field:   pulumi.String("string"),
    		Mappings: sumologic.CseAggregationRuleSeverityMappingMappingArray{
    			&sumologic.CseAggregationRuleSeverityMappingMappingArgs{
    				From: pulumi.String("string"),
    				To:   pulumi.Int(0),
    				Type: pulumi.String("string"),
    			},
    		},
    	},
    	MatchExpression: pulumi.String("string"),
    	AggregationFunctions: sumologic.CseAggregationRuleAggregationFunctionArray{
    		&sumologic.CseAggregationRuleAggregationFunctionArgs{
    			Arguments: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			Function: pulumi.String("string"),
    			Name:     pulumi.String("string"),
    		},
    	},
    	Name:                  pulumi.String("string"),
    	IsPrototype:           pulumi.Bool(false),
    	SummaryExpression:     pulumi.String("string"),
    	SuppressionWindowSize: pulumi.Int(0),
    	Tags: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	GroupByFields: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	GroupByEntity:    pulumi.Bool(false),
    	WindowSizeMillis: pulumi.String("string"),
    })
    
    var cseAggregationRuleResource = new CseAggregationRule("cseAggregationRuleResource", CseAggregationRuleArgs.builder()
        .nameExpression("string")
        .descriptionExpression("string")
        .enabled(false)
        .entitySelectors(CseAggregationRuleEntitySelectorArgs.builder()
            .entityType("string")
            .expression("string")
            .build())
        .windowSize("string")
        .triggerExpression("string")
        .severityMapping(CseAggregationRuleSeverityMappingArgs.builder()
            .type("string")
            .default_(0)
            .field("string")
            .mappings(CseAggregationRuleSeverityMappingMappingArgs.builder()
                .from("string")
                .to(0)
                .type("string")
                .build())
            .build())
        .matchExpression("string")
        .aggregationFunctions(CseAggregationRuleAggregationFunctionArgs.builder()
            .arguments("string")
            .function("string")
            .name("string")
            .build())
        .name("string")
        .isPrototype(false)
        .summaryExpression("string")
        .suppressionWindowSize(0)
        .tags("string")
        .groupByFields("string")
        .groupByEntity(false)
        .windowSizeMillis("string")
        .build());
    
    cse_aggregation_rule_resource = sumologic.CseAggregationRule("cseAggregationRuleResource",
        name_expression="string",
        description_expression="string",
        enabled=False,
        entity_selectors=[{
            "entity_type": "string",
            "expression": "string",
        }],
        window_size="string",
        trigger_expression="string",
        severity_mapping={
            "type": "string",
            "default": 0,
            "field": "string",
            "mappings": [{
                "from_": "string",
                "to": 0,
                "type": "string",
            }],
        },
        match_expression="string",
        aggregation_functions=[{
            "arguments": ["string"],
            "function": "string",
            "name": "string",
        }],
        name="string",
        is_prototype=False,
        summary_expression="string",
        suppression_window_size=0,
        tags=["string"],
        group_by_fields=["string"],
        group_by_entity=False,
        window_size_millis="string")
    
    const cseAggregationRuleResource = new sumologic.CseAggregationRule("cseAggregationRuleResource", {
        nameExpression: "string",
        descriptionExpression: "string",
        enabled: false,
        entitySelectors: [{
            entityType: "string",
            expression: "string",
        }],
        windowSize: "string",
        triggerExpression: "string",
        severityMapping: {
            type: "string",
            "default": 0,
            field: "string",
            mappings: [{
                from: "string",
                to: 0,
                type: "string",
            }],
        },
        matchExpression: "string",
        aggregationFunctions: [{
            arguments: ["string"],
            "function": "string",
            name: "string",
        }],
        name: "string",
        isPrototype: false,
        summaryExpression: "string",
        suppressionWindowSize: 0,
        tags: ["string"],
        groupByFields: ["string"],
        groupByEntity: false,
        windowSizeMillis: "string",
    });
    
    type: sumologic:CseAggregationRule
    properties:
        aggregationFunctions:
            - arguments:
                - string
              function: string
              name: string
        descriptionExpression: string
        enabled: false
        entitySelectors:
            - entityType: string
              expression: string
        groupByEntity: false
        groupByFields:
            - string
        isPrototype: false
        matchExpression: string
        name: string
        nameExpression: string
        severityMapping:
            default: 0
            field: string
            mappings:
                - from: string
                  to: 0
                  type: string
            type: string
        summaryExpression: string
        suppressionWindowSize: 0
        tags:
            - string
        triggerExpression: string
        windowSize: string
        windowSizeMillis: string
    

    CseAggregationRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The CseAggregationRule resource accepts the following input properties:

    AggregationFunctions List<Pulumi.SumoLogic.Inputs.CseAggregationRuleAggregationFunction>
    One or more named aggregation functions
    DescriptionExpression string
    The description of the generated Signals
    Enabled bool
    Whether the rule should generate Signals
    EntitySelectors List<Pulumi.SumoLogic.Inputs.CseAggregationRuleEntitySelector>
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    MatchExpression string
    The expression for which records to match on
    NameExpression string
    The name of the generated Signals
    SeverityMapping Pulumi.SumoLogic.Inputs.CseAggregationRuleSeverityMapping
    The configuration of how the severity of the Signals should be mapped from the Records
    TriggerExpression string
    The expression to determine whether a Signal should be created based on the aggregation results
    WindowSize string
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    GroupByEntity bool
    Whether to group records by the specified entity fields
    GroupByFields List<string>
    A list of fields to group records by
    IsPrototype bool
    Whether the generated Signals should be prototype Signals
    Name string
    The name of the Rule
    SummaryExpression string
    The summary of the generated Signals
    SuppressionWindowSize int

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    Tags List<string>
    The tags of the generated Signals
    WindowSizeMillis string
    AggregationFunctions []CseAggregationRuleAggregationFunctionArgs
    One or more named aggregation functions
    DescriptionExpression string
    The description of the generated Signals
    Enabled bool
    Whether the rule should generate Signals
    EntitySelectors []CseAggregationRuleEntitySelectorArgs
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    MatchExpression string
    The expression for which records to match on
    NameExpression string
    The name of the generated Signals
    SeverityMapping CseAggregationRuleSeverityMappingArgs
    The configuration of how the severity of the Signals should be mapped from the Records
    TriggerExpression string
    The expression to determine whether a Signal should be created based on the aggregation results
    WindowSize string
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    GroupByEntity bool
    Whether to group records by the specified entity fields
    GroupByFields []string
    A list of fields to group records by
    IsPrototype bool
    Whether the generated Signals should be prototype Signals
    Name string
    The name of the Rule
    SummaryExpression string
    The summary of the generated Signals
    SuppressionWindowSize int

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    Tags []string
    The tags of the generated Signals
    WindowSizeMillis string
    aggregationFunctions List<CseAggregationRuleAggregationFunction>
    One or more named aggregation functions
    descriptionExpression String
    The description of the generated Signals
    enabled Boolean
    Whether the rule should generate Signals
    entitySelectors List<CseAggregationRuleEntitySelector>
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    matchExpression String
    The expression for which records to match on
    nameExpression String
    The name of the generated Signals
    severityMapping CseAggregationRuleSeverityMapping
    The configuration of how the severity of the Signals should be mapped from the Records
    triggerExpression String
    The expression to determine whether a Signal should be created based on the aggregation results
    windowSize String
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    groupByEntity Boolean
    Whether to group records by the specified entity fields
    groupByFields List<String>
    A list of fields to group records by
    isPrototype Boolean
    Whether the generated Signals should be prototype Signals
    name String
    The name of the Rule
    summaryExpression String
    The summary of the generated Signals
    suppressionWindowSize Integer

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    tags List<String>
    The tags of the generated Signals
    windowSizeMillis String
    aggregationFunctions CseAggregationRuleAggregationFunction[]
    One or more named aggregation functions
    descriptionExpression string
    The description of the generated Signals
    enabled boolean
    Whether the rule should generate Signals
    entitySelectors CseAggregationRuleEntitySelector[]
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    matchExpression string
    The expression for which records to match on
    nameExpression string
    The name of the generated Signals
    severityMapping CseAggregationRuleSeverityMapping
    The configuration of how the severity of the Signals should be mapped from the Records
    triggerExpression string
    The expression to determine whether a Signal should be created based on the aggregation results
    windowSize string
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    groupByEntity boolean
    Whether to group records by the specified entity fields
    groupByFields string[]
    A list of fields to group records by
    isPrototype boolean
    Whether the generated Signals should be prototype Signals
    name string
    The name of the Rule
    summaryExpression string
    The summary of the generated Signals
    suppressionWindowSize number

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    tags string[]
    The tags of the generated Signals
    windowSizeMillis string
    aggregation_functions Sequence[CseAggregationRuleAggregationFunctionArgs]
    One or more named aggregation functions
    description_expression str
    The description of the generated Signals
    enabled bool
    Whether the rule should generate Signals
    entity_selectors Sequence[CseAggregationRuleEntitySelectorArgs]
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    match_expression str
    The expression for which records to match on
    name_expression str
    The name of the generated Signals
    severity_mapping CseAggregationRuleSeverityMappingArgs
    The configuration of how the severity of the Signals should be mapped from the Records
    trigger_expression str
    The expression to determine whether a Signal should be created based on the aggregation results
    window_size str
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    group_by_entity bool
    Whether to group records by the specified entity fields
    group_by_fields Sequence[str]
    A list of fields to group records by
    is_prototype bool
    Whether the generated Signals should be prototype Signals
    name str
    The name of the Rule
    summary_expression str
    The summary of the generated Signals
    suppression_window_size int

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    tags Sequence[str]
    The tags of the generated Signals
    window_size_millis str
    aggregationFunctions List<Property Map>
    One or more named aggregation functions
    descriptionExpression String
    The description of the generated Signals
    enabled Boolean
    Whether the rule should generate Signals
    entitySelectors List<Property Map>
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    matchExpression String
    The expression for which records to match on
    nameExpression String
    The name of the generated Signals
    severityMapping Property Map
    The configuration of how the severity of the Signals should be mapped from the Records
    triggerExpression String
    The expression to determine whether a Signal should be created based on the aggregation results
    windowSize String
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    groupByEntity Boolean
    Whether to group records by the specified entity fields
    groupByFields List<String>
    A list of fields to group records by
    isPrototype Boolean
    Whether the generated Signals should be prototype Signals
    name String
    The name of the Rule
    summaryExpression String
    The summary of the generated Signals
    suppressionWindowSize Number

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    tags List<String>
    The tags of the generated Signals
    windowSizeMillis String

    Outputs

    All input properties are implicitly available as output properties. Additionally, the CseAggregationRule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing CseAggregationRule Resource

    Get an existing CseAggregationRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CseAggregationRuleState, opts?: CustomResourceOptions): CseAggregationRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            aggregation_functions: Optional[Sequence[CseAggregationRuleAggregationFunctionArgs]] = None,
            description_expression: Optional[str] = None,
            enabled: Optional[bool] = None,
            entity_selectors: Optional[Sequence[CseAggregationRuleEntitySelectorArgs]] = None,
            group_by_entity: Optional[bool] = None,
            group_by_fields: Optional[Sequence[str]] = None,
            is_prototype: Optional[bool] = None,
            match_expression: Optional[str] = None,
            name: Optional[str] = None,
            name_expression: Optional[str] = None,
            severity_mapping: Optional[CseAggregationRuleSeverityMappingArgs] = None,
            summary_expression: Optional[str] = None,
            suppression_window_size: Optional[int] = None,
            tags: Optional[Sequence[str]] = None,
            trigger_expression: Optional[str] = None,
            window_size: Optional[str] = None,
            window_size_millis: Optional[str] = None) -> CseAggregationRule
    func GetCseAggregationRule(ctx *Context, name string, id IDInput, state *CseAggregationRuleState, opts ...ResourceOption) (*CseAggregationRule, error)
    public static CseAggregationRule Get(string name, Input<string> id, CseAggregationRuleState? state, CustomResourceOptions? opts = null)
    public static CseAggregationRule get(String name, Output<String> id, CseAggregationRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AggregationFunctions List<Pulumi.SumoLogic.Inputs.CseAggregationRuleAggregationFunction>
    One or more named aggregation functions
    DescriptionExpression string
    The description of the generated Signals
    Enabled bool
    Whether the rule should generate Signals
    EntitySelectors List<Pulumi.SumoLogic.Inputs.CseAggregationRuleEntitySelector>
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    GroupByEntity bool
    Whether to group records by the specified entity fields
    GroupByFields List<string>
    A list of fields to group records by
    IsPrototype bool
    Whether the generated Signals should be prototype Signals
    MatchExpression string
    The expression for which records to match on
    Name string
    The name of the Rule
    NameExpression string
    The name of the generated Signals
    SeverityMapping Pulumi.SumoLogic.Inputs.CseAggregationRuleSeverityMapping
    The configuration of how the severity of the Signals should be mapped from the Records
    SummaryExpression string
    The summary of the generated Signals
    SuppressionWindowSize int

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    Tags List<string>
    The tags of the generated Signals
    TriggerExpression string
    The expression to determine whether a Signal should be created based on the aggregation results
    WindowSize string
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    WindowSizeMillis string
    AggregationFunctions []CseAggregationRuleAggregationFunctionArgs
    One or more named aggregation functions
    DescriptionExpression string
    The description of the generated Signals
    Enabled bool
    Whether the rule should generate Signals
    EntitySelectors []CseAggregationRuleEntitySelectorArgs
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    GroupByEntity bool
    Whether to group records by the specified entity fields
    GroupByFields []string
    A list of fields to group records by
    IsPrototype bool
    Whether the generated Signals should be prototype Signals
    MatchExpression string
    The expression for which records to match on
    Name string
    The name of the Rule
    NameExpression string
    The name of the generated Signals
    SeverityMapping CseAggregationRuleSeverityMappingArgs
    The configuration of how the severity of the Signals should be mapped from the Records
    SummaryExpression string
    The summary of the generated Signals
    SuppressionWindowSize int

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    Tags []string
    The tags of the generated Signals
    TriggerExpression string
    The expression to determine whether a Signal should be created based on the aggregation results
    WindowSize string
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    WindowSizeMillis string
    aggregationFunctions List<CseAggregationRuleAggregationFunction>
    One or more named aggregation functions
    descriptionExpression String
    The description of the generated Signals
    enabled Boolean
    Whether the rule should generate Signals
    entitySelectors List<CseAggregationRuleEntitySelector>
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    groupByEntity Boolean
    Whether to group records by the specified entity fields
    groupByFields List<String>
    A list of fields to group records by
    isPrototype Boolean
    Whether the generated Signals should be prototype Signals
    matchExpression String
    The expression for which records to match on
    name String
    The name of the Rule
    nameExpression String
    The name of the generated Signals
    severityMapping CseAggregationRuleSeverityMapping
    The configuration of how the severity of the Signals should be mapped from the Records
    summaryExpression String
    The summary of the generated Signals
    suppressionWindowSize Integer

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    tags List<String>
    The tags of the generated Signals
    triggerExpression String
    The expression to determine whether a Signal should be created based on the aggregation results
    windowSize String
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    windowSizeMillis String
    aggregationFunctions CseAggregationRuleAggregationFunction[]
    One or more named aggregation functions
    descriptionExpression string
    The description of the generated Signals
    enabled boolean
    Whether the rule should generate Signals
    entitySelectors CseAggregationRuleEntitySelector[]
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    groupByEntity boolean
    Whether to group records by the specified entity fields
    groupByFields string[]
    A list of fields to group records by
    isPrototype boolean
    Whether the generated Signals should be prototype Signals
    matchExpression string
    The expression for which records to match on
    name string
    The name of the Rule
    nameExpression string
    The name of the generated Signals
    severityMapping CseAggregationRuleSeverityMapping
    The configuration of how the severity of the Signals should be mapped from the Records
    summaryExpression string
    The summary of the generated Signals
    suppressionWindowSize number

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    tags string[]
    The tags of the generated Signals
    triggerExpression string
    The expression to determine whether a Signal should be created based on the aggregation results
    windowSize string
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    windowSizeMillis string
    aggregation_functions Sequence[CseAggregationRuleAggregationFunctionArgs]
    One or more named aggregation functions
    description_expression str
    The description of the generated Signals
    enabled bool
    Whether the rule should generate Signals
    entity_selectors Sequence[CseAggregationRuleEntitySelectorArgs]
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    group_by_entity bool
    Whether to group records by the specified entity fields
    group_by_fields Sequence[str]
    A list of fields to group records by
    is_prototype bool
    Whether the generated Signals should be prototype Signals
    match_expression str
    The expression for which records to match on
    name str
    The name of the Rule
    name_expression str
    The name of the generated Signals
    severity_mapping CseAggregationRuleSeverityMappingArgs
    The configuration of how the severity of the Signals should be mapped from the Records
    summary_expression str
    The summary of the generated Signals
    suppression_window_size int

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    tags Sequence[str]
    The tags of the generated Signals
    trigger_expression str
    The expression to determine whether a Signal should be created based on the aggregation results
    window_size str
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    window_size_millis str
    aggregationFunctions List<Property Map>
    One or more named aggregation functions
    descriptionExpression String
    The description of the generated Signals
    enabled Boolean
    Whether the rule should generate Signals
    entitySelectors List<Property Map>
    The entities to generate Signals on

    • entityType - (Required) The type of the entity to generate the Signal on.
    groupByEntity Boolean
    Whether to group records by the specified entity fields
    groupByFields List<String>
    A list of fields to group records by
    isPrototype Boolean
    Whether the generated Signals should be prototype Signals
    matchExpression String
    The expression for which records to match on
    name String
    The name of the Rule
    nameExpression String
    The name of the generated Signals
    severityMapping Property Map
    The configuration of how the severity of the Signals should be mapped from the Records
    summaryExpression String
    The summary of the generated Signals
    suppressionWindowSize Number

    For how long to suppress Signal generation, in milliseconds. Must be greater than window_size and less than the global limit of 7 days.

    The following attributes are exported:

    tags List<String>
    The tags of the generated Signals
    triggerExpression String
    The expression to determine whether a Signal should be created based on the aggregation results
    windowSize String
    How long of a window to aggregate records for. Current acceptable values are T05M, T10M, T30M, T60M, T24H, T12H, T05D or CUSTOM
    windowSizeMillis String

    Supporting Types

    CseAggregationRuleAggregationFunction, CseAggregationRuleAggregationFunctionArgs

    Arguments List<string>
    One or more expressions to pass as arguments to the function
    Function string
    The function to aggregate with
    Name string
    The name to use to reference the result in the trigger_expression
    Arguments []string
    One or more expressions to pass as arguments to the function
    Function string
    The function to aggregate with
    Name string
    The name to use to reference the result in the trigger_expression
    arguments List<String>
    One or more expressions to pass as arguments to the function
    function String
    The function to aggregate with
    name String
    The name to use to reference the result in the trigger_expression
    arguments string[]
    One or more expressions to pass as arguments to the function
    function string
    The function to aggregate with
    name string
    The name to use to reference the result in the trigger_expression
    arguments Sequence[str]
    One or more expressions to pass as arguments to the function
    function str
    The function to aggregate with
    name str
    The name to use to reference the result in the trigger_expression
    arguments List<String>
    One or more expressions to pass as arguments to the function
    function String
    The function to aggregate with
    name String
    The name to use to reference the result in the trigger_expression

    CseAggregationRuleEntitySelector, CseAggregationRuleEntitySelectorArgs

    EntityType string
    Expression string
    The expression or field name to generate the Signal on.
    EntityType string
    Expression string
    The expression or field name to generate the Signal on.
    entityType String
    expression String
    The expression or field name to generate the Signal on.
    entityType string
    expression string
    The expression or field name to generate the Signal on.
    entity_type str
    expression str
    The expression or field name to generate the Signal on.
    entityType String
    expression String
    The expression or field name to generate the Signal on.

    CseAggregationRuleSeverityMapping, CseAggregationRuleSeverityMappingArgs

    Type string
    Whether to set a constant severity ("constant"), set the severity based on the direct value of a record field ("fieldValue"), or map a record field value to a severity ("fieldValueMapping").
    Default int
    The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.
    Field string
    The field to use in the "fieldValue"/"fieldValueMapping" cases.
    Mappings List<Pulumi.SumoLogic.Inputs.CseAggregationRuleSeverityMappingMapping>
    The map of record values to severities to use in the "fieldValueMapping" case
    Type string
    Whether to set a constant severity ("constant"), set the severity based on the direct value of a record field ("fieldValue"), or map a record field value to a severity ("fieldValueMapping").
    Default int
    The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.
    Field string
    The field to use in the "fieldValue"/"fieldValueMapping" cases.
    Mappings []CseAggregationRuleSeverityMappingMapping
    The map of record values to severities to use in the "fieldValueMapping" case
    type String
    Whether to set a constant severity ("constant"), set the severity based on the direct value of a record field ("fieldValue"), or map a record field value to a severity ("fieldValueMapping").
    default_ Integer
    The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.
    field String
    The field to use in the "fieldValue"/"fieldValueMapping" cases.
    mappings List<CseAggregationRuleSeverityMappingMapping>
    The map of record values to severities to use in the "fieldValueMapping" case
    type string
    Whether to set a constant severity ("constant"), set the severity based on the direct value of a record field ("fieldValue"), or map a record field value to a severity ("fieldValueMapping").
    default number
    The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.
    field string
    The field to use in the "fieldValue"/"fieldValueMapping" cases.
    mappings CseAggregationRuleSeverityMappingMapping[]
    The map of record values to severities to use in the "fieldValueMapping" case
    type str
    Whether to set a constant severity ("constant"), set the severity based on the direct value of a record field ("fieldValue"), or map a record field value to a severity ("fieldValueMapping").
    default int
    The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.
    field str
    The field to use in the "fieldValue"/"fieldValueMapping" cases.
    mappings Sequence[CseAggregationRuleSeverityMappingMapping]
    The map of record values to severities to use in the "fieldValueMapping" case
    type String
    Whether to set a constant severity ("constant"), set the severity based on the direct value of a record field ("fieldValue"), or map a record field value to a severity ("fieldValueMapping").
    default Number
    The severity to use in the "constant" case or to fall back to if the field used by "fieldValue"/"fieldValueMapping" is not populated.
    field String
    The field to use in the "fieldValue"/"fieldValueMapping" cases.
    mappings List<Property Map>
    The map of record values to severities to use in the "fieldValueMapping" case

    CseAggregationRuleSeverityMappingMapping, CseAggregationRuleSeverityMappingMappingArgs

    From string
    The record value to map from
    To int
    The severity value to map to
    Type string
    Must be set to "eq" currently
    From string
    The record value to map from
    To int
    The severity value to map to
    Type string
    Must be set to "eq" currently
    from String
    The record value to map from
    to Integer
    The severity value to map to
    type String
    Must be set to "eq" currently
    from string
    The record value to map from
    to number
    The severity value to map to
    type string
    Must be set to "eq" currently
    from_ str
    The record value to map from
    to int
    The severity value to map to
    type str
    Must be set to "eq" currently
    from String
    The record value to map from
    to Number
    The severity value to map to
    type String
    Must be set to "eq" currently

    Import

    Aggregation Rules can be imported using the field id, e.g.:

    hcl

    $ pulumi import sumologic:index/cseAggregationRule:CseAggregationRule aggregation_rule id
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Sumo Logic pulumi/pulumi-sumologic
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the sumologic Terraform Provider.
    sumologic logo
    Sumo Logic v0.23.7 published on Thursday, Oct 24, 2024 by Pulumi