Example: Populating Active Lists with Trend Results
Suppose you want to monitor top failed user logins daily and send that data to an active list. (You could then configure rules to interact with the active list and trigger an alarm based on some threshold; for example, a single user with a certain number of failed logins per day.) To do this, you could create an active list with fields that map to a trend that monitors “top users with failed logins”.
To see the fields in this trend:
- Select the trend of interest.
-
Select the trend, right-click and select Data Viewer from the context menu to display the trend results in the Viewer.
Your active list must have one or more of the trend's fields to capture relevant data in the list, as we’ll show in the next section where we define the trend.
To continue with the example, we could create a fields-based active list with fields that map to the trend “Top Users with Failed Logins per Day” as follows.
|
Name |
Type |
Key Field |
|---|---|---|
|
User Name |
String |
This is the key field. |
|
Day and Time |
Date |
|
|
Number of Failed Logins |
Long |
|
When the trend runs, it populates the active list with data on top users with failed logins by user name, and list the count of failed logins for each user along with date/time information. This active list could be used as the basis for rules, filters, active channels, and so on.
Notes on Trend Action Behavior
-
Trend updates either insert the row if new, or update an existing row. The update only populates / overrides the columns specified by the trend column mapping. Any other active list columns that do not have trend column mappings preserve their existing values. What this means is that it is possible for a single active list to be updated by multiple trends, each updating different columns. The active list is appropriately locked during read-modify-write cycle to avoid data corruption.
-
A trend can be executed under a variety of circumstances, including refresh and backfill (data from the past). However, only the most recent data are entered into the active list. For example, no backfill data are added to the active list. A trend refresh run does not normally cause the active list to update, with the only exception being if it is the most recent data being refreshed.
-
This trend action never removes entries from the active list. If the you want to have entries removed, use the active list's TTL (time-to-live) to have them expire. TTL setting is described in Creating or Editing an Active List.