Profiles are an essential part of the alert processing concept along with Keys. Consider the following alert example: an alert shall be raised if a URI fails to authenticate more than three times a minute. To judge if an alert shall be raised, alert processing must thus remember if and when the URI failed to authenticate the last time. We call this persistent information profile. A profile is always uniquely identified by a Key, URI address in this example, and it contains information specific to all alerts that relate to that key. Profiles are mainly internal to alert processing, but they can be inspected and some minor bits may also be modified using Alert API.
An example of a profile relating to key "tls-cn=5340085e-0e10-4b3c-8f4b-2fefe517bf6b" is shown below as retrieved using the "getprofile" API. It includes information identifying the key (.key, .keyattr, .keytype) and then groups specific to the alerts ever enabled for this key. (orphaned alert sections are archived as well). The alert attributes contain attributes specific to their alert types ("sudden change" and "string match" in the example) as well as common attributes. The common attributes include:
counterExceeded: counter how many times the alert criteria was met since the alert section was created. Not every time the criteria is met, an alert is raised: it may be suppressed or throttled.
counterRaised: how many times an alert was raised.
created: timestamp when this alert section was created.
description: human readable alert description taken from alert configuration.
docid: ID of the most recent alert event as stored in Elastic Search
lastExceededTS: timestamp when the alert was exceeded the last time.
lastModifiedTS: timestamp when the alert section was modified the last time.
lastRaisedTS: timestamp when the alert was raised the last time. Used for throttling.
supression: undefined, true or false, may be steered using the API, if enabled, alerts are not raised.
Profiles are stored in REDIS database using "flattened" structure. REDIS keys identity the key type, value and tenant ID.
{ "Item" : {
"CSC_uL5p70y" : {
"alertKeyId" : "cstm#tls-cn_1466050977",
"counterExceeded" : 1150,
"counterRaised" : 4,
"created" : 1715355004,
"description" : "#7 OZT number of exp-regs began to change rapidly",
"docid" : "2efbdaf0-0ee2-11ef-beb7-63a2f8ef44d9",
"lastExceededTS" : 1715355405,
"lastModifiedTS" : 1715355405,
"lastRaisedTS" : 1715355008,
"lw" : {
"avg" : 1,
"max" : 1,
"min" : 1,
"rpm" : 77.26666666666667,
"sum" : 1159
},
"sw" : {
"avg" : 1,
"max" : 1,
"min" : 1,
"rpm" : 157.8,
"sum" : 789
}
},
"CSM_NFwgCbJ" : {
"alertKeyId" : "cstm#tls-cn_1466050977",
"counterExceeded" : 2,
"counterRaised" : 1,
"created" : 1715355017,
"description" : "redis health",
"docid" : "3428edb0-0ee2-11ef-beb7-63a2f8ef44d9",
"lastExceededTS" : 1715355017,
"lastModifiedTS" : 1715355017,
"lastRaisedTS" : 1715355017,
"lastmatch" : "(attrs.type:=ingest_redishealth) = ingest_redishealth"
},
"key" : "tls-cn#5340085e-0e10-4b3c-8f4b-2fefe517bf6b",
"keyattr" : "tls-cn",
"keytype" : "cstm"
}}