Rules based on aggregate SUM

Rules based on aggregate SUM

Use case Example:

We want to monitor in Real-time if a user sends in the last 24 Hours more than 100MB via Email.

How it will work:

We will create a data monitor which will collect the information from the last X time, and sum the quantity.

After that, we will create a rule that use the audit events of the Data Monitor to check if the value is more than a specific threshold.

Step 1: Create a Data Monitor

Create New Data Monitor, and choose the data monitor type: “Top Value Counts”.

Set the next preference:

  • Value Filed – The field we need to sum (bytes out).
  • Send Audit Events – Set true. It will make a log after any changes.
  • Top entries – Be aware – Only the top entries will be auditing.

Step 2: Create Filter

  • Create a new filter with the next condition:
  • Under Generator choose your Data Monitor resource.
  • Exclude “others” form Device Custom String 1 – “others” is the sum of all the entries that do not exist in the Top entries.


Step 3: Create Rule

  • Create New Rule and add the filter from the previous step,
  • Device Custom String1 is the aggregated field value (you can add it under aggregation tab).
  • Device Custom Number1 is the total value, you can use it for condition, for example, user print more than millions of pages, etc.
  • Add your own action.

And you Done.

The rule will fire after a user (or your custom filed) will pass your threshold in the time frame that you set in the data monitor.

Ofek Sher,

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email