The following objects are directly related to the
The correlation object has the following properties.
|correlationid||string||(readonly) ID of the correlation.|
|string||Name of the correlation.|
|description||string||Description of the correlation.|
|status||integer||Whether the correlation is enabled or disabled.
Possible values are:
0 - (default) enabled;
1 - disabled.
The correlation operation object defines an operation that will be performed when a correlation is executed. It has the following properties.
|integer||Type of operation.
0 - close old events;
1 - close new event.
The correlation filter object defines a set of conditions that must be met to perform the configured correlation operations. It has the following properties.
|integer||Filter condition evaluation method.
0 - and/or;
1 - and;
2 - or;
3 - custom expression.
|array||Set of filter conditions to use for filtering results.|
|eval_formula||string||(readonly) Generated expression that will be used for evaluating filter conditions. The expression contains IDs that reference specific filter conditions by its
|formula||string||User-defined expression to be used for evaluating conditions of filters with a custom expression. The expression must contain IDs that reference specific filter conditions by its
Required for custom expression filters.
The correlation filter condition object defines a specific condition that must be checked before running the correlation operations.
|integer||Type of condition.
0 - old event tag;
1 - new event tag;
2 - new event host group;
3 - event tag pair;
4 - old event tag value;
5 - new event tag value.
|tag||string||Event tag (old or new). Required when type of condition is: 0, 1, 4, 5.|
|groupid||string||Host group ID. Required when type of condition is: 2.|
|oldtag||string||Old event tag. Required when type of condition is: 3.|
|newtag||string||Old event tag. Required when type of condition is: 3.|
|value||string||Event tag (old or new) value. Required when type of condition is: 4, 5.|
|formulaid||string||Arbitrary unique ID that is used to reference the condition from a custom expression. Can only contain capital-case letters. The ID must be defined by the user when modifying filter conditions, but will be generated anew when requesting them afterward.|
Required when type of condition is: 2, 4, 5.
The following operators and values are supported for each condition type.
|Condition||Condition name||Supported operators||Expected value|
|2||Host group||=, <>||Host group ID.|
|4||Old event tag value||=, <>, like, not like||string|
|5||New event tag value||=, <>, like, not like||string|