burstdetection

func BurstDetection ¶

func BurstDetection(logsBurst map[string]*pipelines.LogBurst, word string, text []byte)

BurstDetection detects and handles bursts based on severty level and AGGREGATE_TRAFFIC.

Parameters:

• logsBurst: map storing burst states by category (e.g., 'ERROR', 'AGGREGATE_TRAFFIC'),
• word: current log level (e.g., 'ERROR', 'CRITICAL'), previously extracted from content.

Returns:

• void: the function operates through side effects, modifying logsBurst and triggering webhooks

The function performs:

1. If 'word' is in the error list (errs), it handles specific burst logic for that level:

   - Calculates elapsed time since the window started (WindowStart).

   - If the limit is exceeded (LimitBreak), it restarts the window, resets the alert counter, and initializes the message counter to 1.

   - If the counter is <= 10, it jumps to CheckGlobal (not yet burst).

   - If 10 alerts have already been sent or the las one was less than 5 seconds ago, it does nothing (rate limiting).

   - Otherwise, if triggers a webhook via webhooks.HandleWebhook, updates LastAlertTime, and increments AlertsSent.

2. CheckGlobal: label that unifies the flow to handle AGGREGATE_TRAFFIC bursts:

   - Retrieves or creates the 'AGGREGATE_TRAFFIC' entry logsBurst.

   - Increments its counter and checks the elapsed time.

   - If it exceeds LimitBreak, it restarts the burst window, resets the message counter, and sets the alert counter to 1.

   - if the global counter is < 100, it does nothing.

   - if 10 global alerts have been sent or the last one was less than 5 seconds ago, it does nothing.

   - Otherwise, it triggers a webhook for AGGREGATE_TRAFFIC and updates its metada.